Allow option to change permission levels of users when LDAP group sync is enabled
description
We want to allow people to change permission levels of individual members from synced LDAP groups in groups.
- The ability to do this has to be configurable on a Global level (group level doesn't really make sense, because group members that can change permissions would also be able to change the setting)
- It should use a boolean on users to distinguish them between an LDAP synced user and an excepted one.
Mockups
Editing LDAP user
Drop down options w/ option to revert back to LDAP
After editing permission, user still have label indicating they are still a part of the LDAP group
LDAP mobile view
Editing LDAP mobile view
original issue
We have two customers (large ones) with opposing views on LDAP group sync member management.
Initially, we allowed manual management of users when group sync was enabled. In 7.14 or 8.0 we changed this and now you cannot manage members when group sync is enabled. This was changed in https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/465 at the request of a customer in https://gitlab.zendesk.com/agent/tickets/2679
Now, the second customer recently upgraded from 7.x to 8.4 and is now struck by what appears to be a regression from their standpoint. https://gitlab.zendesk.com/agent/tickets/16312
I've also heard from several other customers/users that this feels a bit restrictive. From their perspective, it doesn't make sense to add another LDAP group just to promote one or a few members from developer to master/owner of a group. They would rather allow certain users to be an exception to the group sync.
I think we should add an option for this. I'm not sure whether it should be a global, or group-level option, or both. I believe the customer in Zendesk issue 2679 was after a global 'lock' solution. However, group sync is enabled or disabled at the group level, so a global option may not be warranted.
To accomplish this we'll need the option, plus a new boolean on users (I think) to distinguish them between an LDAP synced user and an excepted one.