Fedora Design gitlab permissions

Hi all, because of the way the gitlab SAML authentication works, there are some questions that we need to resolve on how to grant access to the Fedora Design GitLab subgroup (Fedora Design · GitLab)

Basically the background here is that if you enable SAML enforcing, only users that have authenticated with their Fedora Account can contribute to the repos. However the side effect that is undesirable is that the repos are then hidden unless you have logged in with your Fedora Account (i.e. Private unless logged in).

To work around this, the Fedora gitlab instance has disabled SAML enforcing – but this means that someone without a Fedora Account can be granted commit access. We can, however, then enforce SAML group links – which means that only someone in a Fedora Accounts group is given a certain role in gitlab.

You can go super granular, but will need a Fedora Accounts group for each gitlab role. Over on Fedora Websites and Apps, the plan is to map:

  • the websites-apps Fedora Accounts group to the developer role in gitlab
  • the websites-apps-admins Fedora Accounts group to the admin role in gitlab

Long story short, what groups in Fedora Accounts should we link to what roles in the Fedora Design gitlab subgroup?

@ryanlerch the group / group-admins approach seems a good one to me for our team. Maybe use designteam membership as the developer role and a new designteam-admin as the admin role?

1 Like

Sounds good!

I’ll note too there are other roles like “Reporter” (less than Developer) and “Maintainer” (more than Developer but less than Admin) in gitlab, and if we decide to use them in the future, they can easily be added at a later date – although they require additional Fedora Accounts group(s) to be created.

I can also file the ticket to get the new designteam-admin group created. Is there anyone else other than yourself that you want as sponsor on that Fedora Accounts group?

Sorry for the churn here, but i was mistaken, there is no Admin role in gitlab, the main roles are:

Guest, Reporter, Developer, Maintainer, Owner.

We can keep the -admin naming for the Fedora Accounts group, and either assign those members to the Maintainer roie. Changing the mapping between the group and role is easy, changing the Fedora Accounts group name is not – so want to make sure we have it right

Hey Ryan - I think designteam-admin as a name is fine. It you want it to follow a format used by other FAS groups I think we’d be fine with that too. I’d have the admin group then map to GitLab’s Maintainer or Owner role. Do you know what the difference is between Maintainer and Owner?

I would want myself, Madeline (mpeck), Emma (ekidney), and Jess Chitas (jchitas) as admins - and everyone else in the current designteam FAS group who has sponsor privs. (I think mleonova, tatica, gnokii might be in that list too.)

Maintainer is pretty powerful, TBH. They can do most things apart from actually deleting things (Repos, Issues, etc)

Here is a breakdown of the permissions:


This should be set up and ready to go now.

  • All users that are members of the designteam group in Fedora Accounts will be granted access as a Developer on the Design GitLab group (and its repos)

  • All users that are members of the designteam-admin group in Fedora Accounts will be granted access as a Owner on the Design GitLab group (and its repos)

Note that for this to work, the user will need to link their Fedora Account with GitLab. To do this,

  1. first create or log into your GitLab Account
  2. Go to this link: https://gitlab.com/groups/fedora/-/saml/sso and log in with your Fedora Account and follow the prompts to link it to you GitLab Account.

@duffy currently you are the only member and sponsor of the designteam-admin group, but you can add new members whenever you want :slight_smile:

1 Like

Hey @ryanlerch - in the wake of these changes it seems I’m experiencing some GitLab issues with my account :frowning: I’m not yet aware of anyone else so I think it might be an issue with the designteam-admin group. I opened a ticket here: