If a user is a member of this group or project and also of one or more ancestor groups, only its membership with the highest access_level is returned. (Improved in GitLab 13.11.) This represents the effective permission of the user.
GET /groups/:id/members/all
The group members obtained from the above interface contain the maximum permissions of the members of the invited group. If a group contains an invited group, the exact permissions of the direct members and members inheriting from the parent group cannot be known from the api
how can i do it?
just get including inherited members, invited user
Related
I am running a gitlab-ce instance where we solve access level on group level by sharing groups with user groups. An example:
There is a group products with a couple of projects in there. No user is directly added as member to that group. There is another group called developers. Product developers are added to developers with maintainer access.
The group products is shared with developers with a maximum role of maintainer.
With that I would assume, that I can transfer a project that I am owner of to group products. However, the list of groups I can transfer my project to only contains groups where I am a direct member with the maintainer role.
TLDR:
Group products is shared with group developers with max role maintainer
User Bob is member of developers with the maintainer role
Bob is owner of project bobs_project
Bob cannot transfer bobs_project to products (but he could transfer it to developers)
From my understanding of the relevant documentation Bob should have the same rights in products as someone directly added as maintainer to products. However, that seems not to be the case.
Am I missing something?
A few points from the documentation you reference might be relevant in your setup:
When transferring groups, note:
You can only transfer groups to groups you manage.
Only explicit group membership is transferred, not inherited membership. If the group’s owners have only inherited membership, this leaves the group without an owner. In this case, the user transferring the group becomes the group’s owner.
Here, Bob has inherited rights in products, not direct rights. That might explain why the group is not listed.
We invite Azure B2B guest users to our AD in order for them to access a web application. Part of this process also adds them as members of a specific security group.
What I have noticed is that a B2B user can log in - (https://account.activedirectory.windowsazure.com) - and is able to see the other members of the group that they are members of.
Given that this information contains customer email addresses then it presents issues relating to GDPR.
The AD Administration Portal user settings are set to "restrict access to Azure AD admin portal"
Any ideas how we could restrict B2B users from being able to enumerate group membership in this manner ?
Let me list some facts
The below part is a manual step that is not related to adding B2B guest user
Part of this process also adds them as members of a specific security group.
When you create a security group, all members can see the list of available information of other members
As guest users on Azure are identified using their email, the email addresses of all members of a security group will be visible to other group members
The workaround for this is to create separate a security group for each domain (i.e each company or each group of users who have the same #xxxx.com at their email). Then gather all those groups in a single parent security group and assign access to that parent group
This way, all guest users will have the same resource access but each group will be able to see only information about members on their same subgroup
I'm using Azure ActiveDirectory Graph API. I can list members(users,contacts,other groups) of a group. I noticed, when I add in office.outlook.com a contact (not personal, organizational contact) to a group, it will be a guest user (add a user, it will be a user ofc). When I list members of a group, I get a list of user objects. I got the guest users and the normal users too. I didn't find any solution for that, to list only the contacts (guest users) from a group. My question is, is this possible?
I use this in my code:
https://graph.windows.net/myorganization/groups/{object_id}/members?api-version
If you check the response , you will find userType property in Microsoft.DirectoryServices.User . userType is a string value that can be used to classify user types in your directory, such as "Member" and "Guest".
Unfortunately a service-side filter for this is not currently possible (filtering on the target of a navigation collection - for type and/or any property including extension properties). See this thread . And you could vote for this feature.
Currently you will need to get all members and then filter on the client side , find the guest users that userType value equals Guest .
Is there a call to graph API that returns to me all members of a group - including the users of nested groups?
To get all direct members for a group, there is GetGroupMembers
To get all groups for a user transitively, I have found getMemberGroups
But I didn't find anything to get a list of all members, including subgroups (as in "if I send an email to group xyz, which users will receive it?").
Is there no such function available or did I overlook something?
A user is added to 2 different groups. 1 group is provided author access and another group is provided with editor access. First group has user role 'A' and second group has user role ' A,B'. What is the access and role the user would have?
The user would have the highest access level of all groups (in this case editor access) and all roles assigned to groups (in this case A and B) in database's ACL.
There is only one exception: if the user is listed with his own name in ACL then only these rights the user would have, no matter which listed groups he's member of.
The access levels are combined. However, Deny access takes precedence over Allow access.
See the docs for more info: http://www-12.lotus.com/ldd/doc/domino_notes/7.0/help7_admin.nsf/b3266a3c17f9bb7085256b870069c0a9/52f8492cea3792698525706f0065c44b?OpenDocument
Also, as the doc states it is helpful to use the Effective access feature within the ACL dialog to see exactly what the user access is.