Changes for SAML group lock self-managed
What does this MR do and why?
Solves https://gitlab.com/gitlab-org/gitlab/-/issues/38639 For Self-Managed Gitlab
With this change we have introduced Policy changes to disallow any group members other than Admin or group owners to add new members to a group in case its a subgroup of a Group that has SAML Group Links Configured
For project policy also changes have been made when Users are not allowed to share a project with other groups or invite members to a project created in a group in case setting SAML Group Lock
is configured.
Screenshots or screen recordings
A new option for Lock Memberships for SAML Synchronization
is added in Admin > Settings > General > Visibility and access controls
How to set up and validate locally
- Login to the application as
root
user. -
Enable SSO and enter some
SAML Group Links
for a group. I did this forTwitter
group in my gdk setup. - Create a new group and assign the group one more user with role
owner
. Transfer this group as child group for the group you set up in step 2, In my case child group forTwitter
group - Add a project to the
child group
or theTop level group
- Go to menu Admin > Settings > General > Visibility and access controls and enable setting
Lock Memberships to SAML Synchronization
. - Observe as you login to application as the owner of the child group. You cannot
Invite Members
to the group. - Observe as you login as root user or admin of the parent group to the application you can
invite members
to the group. - Observe you cannot
Invite Members
to the Project created in step4
Screenshot for Invite Members
button is visible in case setting is not enable
\
Screenshot for Invite Members
button being removed in case setting is enabled