Best way to organize students groups and to automate

vdahelmo · September 12, 2023, 8:00pm

Hi all

We are in the process of setting up GitLab.com for our institution, which consists of students and teachers. We would like each student to have their own group in which they can create projects related to their various courses. By default, they should be the only ones to have access, in addition to the teachers. We had thought of the following structure under our main group.

A group named ‘Students’ where all the teachers are members.
Under this group, a group for each section (computer science, cyber security, engineering, …).
And finally, a group for each student in each section.

We have implemented SAML authentication, and we would like to create all the groups and assign the students via the API.

Is it possible ? Is it possible to add users in a group if they do not yet connect on gitlab ?
Is it a structure that you would recommend ?

Any feedback or advice would be nice

Thanks a lot !

erudinsky1 · September 13, 2023, 9:19am

Hi @vdahelmo

You didn’t explicitly mentioned what IDP is in use, but you may want to explore SCIM and see if it fits your requirements. For instance in Azure AD (if SAML implementation is used) there SCIM available for users provisioning in service provider (GitLab) out of the box.

As for the structure, keep in mind inheritance of user / bot / token access level, settings and various other features (i.e. compliance frameworks). You may want to split up institution into several OUs with predefined settings and memberships. You can control membership based on groups in your IDP and map those via SAML groups Sync to specific GitLab group.

For automation of groups and projects provisioning there are various ways (check for instance group API). There is also terraform provider.