User permissions
Setting appropriate user permissions is a critical task to ensuring that your Namespace is compliant with AC-6: Least Privilege.
Workshop utilizes GitLab roles and permissions and gives two complimentary methods to assign users to roles, and roles to groups and projects.
All user permission settings should be done with your Config project to ensure you have an auditable record of permission changes and an easy way to revoke access when appropriate.
- User permissions guide: How to apply these concepts within Workshop
Namespace and subgroup roles
The default way to set user roles is by adding users to the appropriate role groups that are attached to the Namespace and to each subgroup.
These roles apply to the group they are set on, as well as any projects contained in that group, as well as any subgroups.
User permissions flow down the subgroup hierarchy, and can only be increased the further down you go.
For example, a user with Maintainer access to the Namespace can be granted Owner of a subgroup, and they'll have all of the permissions of the owner for that subgroup and any projects in it. However, if they are granted Developer of a subgroup, they will still have Maintainer access, because their Namespace role is applied to the subgroup as well.
Team membership
Sometimes it can be useful to group users in teams without necessarily giving them access to any projects. This is especially useful in cases where:
- there are projects that require cross-team collaboration, or would benefit from making it easy to request Merge Request reviews from other teams
- there is at least one subgroup with sensitive content so it is inappropriate to have many users with permissions on the entire Namespace
Teams can then be assigned roles in projects and groups. Just like with direct membership, assigning a team to a subgroup grants permissions to any projects and subgroups contained within the subgroup they were assigned to.