Draft: SAML Group Lock settings for Self Managed
What does this MR do and why?
Solves #386390 (closed)
With this change I have introduced Policy changes to disallow any group members other than Admin or Top level group owners to add new members to a group in case its a subgroup of a Group that has SAML Group Links Configured
For project policy also changes have been made when Users are not allowed to share a project with other groups or invite members to a project created in a group.
Screenshots
A new option for Lock Memberships for SAML Synchronization
is added in Group>Settings>General>Permissions and group features
Steps to Verify
- Login to the application as
root
user. -
Enable SSO and enter some
SAML Group Links
for a group. I did this forTwitter
group in my gdk setup. - Create a new group and assign the group one more owner. Transfer this group as child group for the group you set up in step 2, In my case child group for
Twitter
group - Go to menu Group > Settings > Permissions and group features and enable setting
Lock Memberships to SAML Synchronization
. - Observe as you login to application as the owner of the child group. You cannot
Invite Members
to the group. - Observe as you login as root user or owner of the parent group to the application you can
invite members
to the group.
Screenshot for Invite Members
button being visible in case setting is not enable
Screenshot for Invite Members
button being removed in case setting is enabled
\
Edited by Smriti Garg