- Source: GL_GroupRole, GL_ProjectRole
- Destination: GL_Group, GL_Project
The non-traversable GL_InviteGroups edge indicates that a role can share (invite) an external group into this group or project, granting all members of that external group access at a specified role level. Owner role always has this permission; Maintainer role has it for projects when the instance allows group sharing.
graph LR
attacker("fa:fa-user GL_User attacker")
ownerRole("fa:fa-user-tie GL_GroupRole mygroup/Owner")
group("fa:fa-user-group GL_Group myorg/backend-team")
attacker -->|GL_HasRole| ownerRole
ownerRole -.->|GL_InviteGroups| group