@@ -14,6 +14,54 @@ In general, we leave it to the managers of top-level groups to determine policy
...
@@ -14,6 +14,54 @@ In general, we leave it to the managers of top-level groups to determine policy
> UIS is "special" in this regard in that the people who own the top-level UIS group overlap with the admins of the site. Rather than having a UIS-specific support project, UIS members can also request groups under the UIS namespace by raising an issue in this project. As the service matures we hope to make UIS less "special". See also the [dedicated wiki page for UIS users](https://gitlab.developers.cam.ac.uk/uis/devops/devhub/docs/wikis/Information-for-UIS-users).
> UIS is "special" in this regard in that the people who own the top-level UIS group overlap with the admins of the site. Rather than having a UIS-specific support project, UIS members can also request groups under the UIS namespace by raising an issue in this project. As the service matures we hope to make UIS less "special". See also the [dedicated wiki page for UIS users](https://gitlab.developers.cam.ac.uk/uis/devops/devhub/docs/wikis/Information-for-UIS-users).
## How to control group access using UIS Lookup Groups
Access to a GitLab group is by default either via inheritence from parent groups or users
are added directly to the group.
If you want to control access to a group based on one or more UIS Lookup Groups, you can do this
by using GitLabs `SAML Group Links` feature.
> :warning: Using this feature will override existing group members and group member inheritence.
### How the integration works
When a user logs in via SAML, GitLab will check the SAML response for the groups the user is a
member of. If the user is a member of a group that is mapped to a GitLab group, the user will be
added as a member to the GitLab group.
### Finding the group from Lookup
Using the [University lookup service](https://www.lookup.cam.ac.uk/), find the group `ID` and
`Title`.
For example, the group `UIS Staff` has the `ID``103617` and `Title``UIS Staff`.
The `SAML Group Name` = `{ID}={Title}`:
-`103617=UIS Staff`
### Adding a SAML Group Link
1. Go to the group you want to control access to.
2. Click on `Settings` in the left hand menu.
3. From the `Settings` menu, click on `SAML Group Links`.
4. In the `SAML Group Name` add the name in the format `group_id=group_description` where
`group_id` is the group id from the UIS Lookup Groups service and `group_description` is a
description of the group. e.g. `103617=UIS Staff`
5. In the `Access Level` dropdown, select the access level you want to give to the group members.
6. Click `Save`.
### Issues and limitations
If a user signs in whilst being a member of a group that is mapped to a GitLab group, they will be
added to the group. If they're subsequently removed from the group, they will not be removed from
group until they sign out and back in again. This means that membership can effectively become
permanent, so be careful when using this feature.
> :warning: Using this feature will remove existing group members and group member inheritence when a user
logs in and isn't a member of the mapped SAML groups - see [Automatic member removal](https://gitlab.developers.cam.ac.uk/help/user/group/saml_sso/group_sync.md#automatic-member-removal).
## How can I get a "Robot" account?
## How can I get a "Robot" account?
A "robot" account is an account which is not directly associated with an individual. These accounts are often used to integrate Continuous Integration/Deployment solutions with your source control or to access the GitLab API to integrate with an external tool.
A "robot" account is an account which is not directly associated with an individual. These accounts are often used to integrate Continuous Integration/Deployment solutions with your source control or to access the GitLab API to integrate with an external tool.
