How to restrict the GitLab project to one group, so that any new user or user from another group cannot be added?
For example, two groups are created in GitLab groupA, groupB.
When I am the owner of groupA for a project.
I should not able to add user of groupB and the individual user should also be restricted.
Your requirement is cannot valid. One user belong to 0, 1 or many group(s).
See document: https://docs.gitlab.com/ee/user/group/
Related
I am running a gitlab-ce instance where we solve access level on group level by sharing groups with user groups. An example:
There is a group products with a couple of projects in there. No user is directly added as member to that group. There is another group called developers. Product developers are added to developers with maintainer access.
The group products is shared with developers with a maximum role of maintainer.
With that I would assume, that I can transfer a project that I am owner of to group products. However, the list of groups I can transfer my project to only contains groups where I am a direct member with the maintainer role.
TLDR:
Group products is shared with group developers with max role maintainer
User Bob is member of developers with the maintainer role
Bob is owner of project bobs_project
Bob cannot transfer bobs_project to products (but he could transfer it to developers)
From my understanding of the relevant documentation Bob should have the same rights in products as someone directly added as maintainer to products. However, that seems not to be the case.
Am I missing something?
A few points from the documentation you reference might be relevant in your setup:
When transferring groups, note:
You can only transfer groups to groups you manage.
Only explicit group membership is transferred, not inherited membership. If the group’s owners have only inherited membership, this leaves the group without an owner. In this case, the user transferring the group becomes the group’s owner.
Here, Bob has inherited rights in products, not direct rights. That might explain why the group is not listed.
Can you add a user to multiple groups in one login?
No. A user can only belong to one group max. In the UI you can only select one and via API you can only specify one group_id.
Yes. You can add a user to multiple groups at a time provided your application separates your Authorization logic.
For eg, If you have 3 groups i.e., Customer, Manager and Administrator then the customer must have a different login interface where only customers can login, the manager must have a different login interface where only managers can login and so on. This can be achieved but it consists of lot of code related tweaks to be done.
But the recommended approach is that to assign a user to one specific group and manage the permissions at group level.
In GitLab you can add all users to all groups with a simple command:
gitlab-rake gitlab:import:all_users_to_all_groups
After execution the GitLab Users became developers and GitLab administrators become owners of each group. If there were existing users in the group with different permissions, the permissions are discarded with this command.
The question is if there is a command to add all users to all groups where:
command would add only the users which are not already in the group or
command would add all users, but remain existing permissions which were already attributed to the users in the groups
The question is if there is a command to add all users to all groups where...
All the user management functions are in lib/tasks/gitlab/bulk_add_permission.rake, including all_users_to_all_groups
You could modify that file and implement a function that would not just call group.add_users(user_ids, GroupMember::DEVELOPER) but check its rights first.
I have scenario as, I have say 5 branches for example Branch A, Branch B, Branch C etc. All branches have different set of users and different set of data(in liferay portlets). My requirement is like, Whenever user from Branch A logs in he should not able to logged in to other branch. In short he should not have any permission to view, login to Branch B (other than his own branch).
All 5 branches has two sub-sites.
Eg. Branch A has sub sites Site A1 and Site A2. separate users are associated to the site.
My Question is what should I use to develop such system.
As of now I had created one Organisation and created Location Sub organisation.
How can I restrict user to log in himself into his own organisation and not anyone else.
How can I restrict user to view the contents on his own site and not other site.
Do I need to create User Groups.
Any Pointers would be helpful. Thanks in advance.
First of all: You don't need Locations. They're just like Organizations, but can't have any more suborganizations. This is a limitation that you don't need to impose on your branche offices. You can, but don't need to.
You always log in to your account, not into an organization. When there's content in an organization's site that must not be seen by non-members of that organization, just make the pages private - this restricts them to be seen only by members of the organization.
Membership of organizations is centralized anyways - thus nobody can become member of another organization without an administrator making the connection.
If you need user groups depends on what your overall structure is. If you interface with LDAP, I like to use user groups as the importing target for LDAP groups. If you don't, it still might make sense to group users into User Groups - just to keep an overview over the different memberships and permissions that you give. It's a lot easier if you restrict yourself to not grant any roles and permissions to individual users, only to User Groups - at least once you have a certain number of users.
What I need is:
Administrator-level-1 (Can edit all simple users and administrators of level 2 and 3)
Administrator-level-2 (Can edit all simple users and administrators of level 3)
Administrator-level-3 (even less permissions)
By saying edit I mean change password at least. Tried to experiment with roles, permissions, Organization hierarchy etc. Is this possible?
You could create an Organization for each level and then can create a single Organization Role with the following permissions:
User / Update
Organization / Manage Users
Organization / View
Once that is done you assign the level admins to this role on the corresponding organizations.