Hide a project/subgroup from inheritance

Hi,

We want to encapsulate everything we do on GitLab under one top-level group, however, we don’t want everyone in the group being able to access all subgroups, and especially all projects.

Is there a way to disable inheritance on a specific (or all) subgroups or their projects?

If so, how? Is it a paid feature? If so, what plan?

Thanks

While I could just add them to the relevant subgroup rather than the top-level group, this doesn’t exactly feel ‘right’ since there is one specific subgroup we want everyone to access as it contains internal resources for all of our team. However, if this is the only way to stop inheritance; please let me know.

With the way roles and permissions are currently implemented, I would say adding users to a specific subgroup is the way to go.

If you have a subgroup (or project) that you want all other groups to have, can you make it internal (all registered users can see)? If not, you can share the group with the other groups.

1 Like

Thanks! Is there any plan for a new permission system (possibly similar to GH, where you can add users to ‘teams’ and manage permissions using them)

Well you could do that with groups as that’s the purpose of the share with groups feature.

For example, you can have these groups:

  • TeamA. Add individual members to group and could have projects that only TeamA should have
  • TeamB. Same except with TeamB
  • GroupC that houses shared projects. In members, share with TeamA and TeamB (instead of individuals)

“Custom” roles (or more fine grained permissions) are being explored in 🔑 UX Work for Manage | Access: Permissions inheritance and policies exploration (&3762) · Epics · GitLab.org · GitLab

1 Like

I shared GroupC with my TeamA group, but for some reason anyone in TeamA was unable to, with the Guest permission, view the code on a project under GroupC. The members didn’t appear under the member list (whereas people from ancesting groups could), TeamA appeared under group membership on GroupC.

Is the project private? As per the permissions table, guests cannot view code unless the project is set to Internal or Public.

Individual members from the shared group will not show in the Members list, just the name of the group that’s been shared, so it sounds like it’s behaving correctly in that regards.