Security: LDAP group access is converted to local user access on import

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Feature Proposal to change how group membership is dealt with in project export/import

From customer ticket --> https://gitlab.zendesk.com/agent/tickets/168412 (internal use only)

As per the notes here[0]:

Group members are exported as project members, as long as the user has maintainer or admin access to the group where the exported project lives.

• While I think this can already be considered a security issue for local permissions as where a users access is configured changes, at least it's for a user based system. I.e. user X has permissions on project/group Y.

• This also happens for users coming from LDAP, which is a group based access level. I.e. (LDAP) group X has permissions on (GitLab) group Y. Which after im-/export is changed to the formerly described setup, i.e user based access, local to GitLab. Changing a users (LDAP) group (for example because they move department) no longer affects their permissions.

• This is a security issue because it changes both what/who has access (i.e. group -> individual), but also where access is managed (LDAP -> GitLab project). An im-/export should never affect where permissions are managed and certainly not who/what is given access.

• Proposal: As I would say in principle groups shouldn't be converted to their individuals. That leaves you with the option of either ex-/importing the ldap group sync config, or simply skipping users which have access by means of the (ldap) group sync.

[0] https://docs.gitlab.com/ee/user/project/settings/import_export.html#important-notes