- Source: GL_Group
- Destination: GL_Group, GL_Project
| Property | Type | Description |
|---|---|---|
| expires_at | datetime | When the invitation expires (empty if permanent) |
| role | string | Maximum access level granted to the invited group's members |
The traversable GL_InvitedTo edge represents a group sharing relationship — a group has been invited into another group or project, granting the invited group's members access to the target up to the specified role level. This is GitLab's mechanism for cross-namespace collaboration.
Combined with GL_HasRole and GL_HasBaseRole, GL_InvitedTo creates multi-hop attack paths: compromising one group can grant access to all groups and projects that group has been invited into. The effective role is the minimum of the user's role in the invited group and the role property on the invitation edge.
The corresponding GL_GroupRole → GL_GroupRole/GL_ProjectRole GL_HasRole edges map the invited group's role to the target scope.
graph LR
contractors("fa:fa-user-group GL_Group contractors")
targetGroup("fa:fa-user-group GL_Group myorg")
targetProject("fa:fa-diagram-project GL_Project myorg/backend")
contractors -->|GL_InvitedTo| targetGroup
contractors -->|GL_InvitedTo| targetProject