SAML Group Sync retain default membership
What does this MR do and why?
Related to #351955 (closed)
Previously the user would only be added at the default membership level on first sign-in. Once a user was a member, their access level/role was no longer updated. An admin could manually change the access level and GitLab would not override that. If group sync was enabled and group links were present at the top level and the user was not a member of the linked groups they would be completely removed from the top-level group after the sync. This meant the user lost access to the entire hierarchy. We considered this to be by design and instructed organizations to ensure top-level group links encompassed all users. But this was surprising behavior for many and caused lots of confusion and support requests.
Now, if group links are present at the top level and the user is not a member of the linked groups, we will set the user back to the default membership level rather than removing them. It's important to note that unlike when sync is not enabled, an admin cannot manually adjust a user's access level with sync enabled. The sync will always set it back to the default level whenever group links are present.
Note: This is only applicable to SaaS so that's why I built it into the worker rather than the sync service, which is also used for self-managed.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.