External users

{{< details >}}

• Tier: Free, Premium, Ultimate
• Offering: GitLab Self-Managed, GitLab Dedicated

{{< /details >}}

External users have limited access to internal or private groups and projects in the instance. Unlike regular users, external users must be explicitly added to a group or project. However, like regular users, external users are assigned a member role and gain all the associated permissions.

External users:

• Can access public groups, projects, and snippets.
• Can access internal or private groups and projects where they are members.
• Can create subgroups, projects, and snippets in any top-level groups where they are members.
• Cannot create groups, projects, or snippets in their personal namespace.

External users are commonly created when a user outside an organization needs access to only a specific project. When assigning a role to an external user, you should be aware of the project visibility and permissions associated with the role. For example, if an external user is assigned the Guest role for a private project, they cannot access the code.

[!note] An external user counts as a billable user and consumes a license seat.

If you created an external providers list, users who sign in with a listed provider are automatically marked as external.

Create an external user

Prerequisites:

• Administrator access.

To create a new external user:

1. In the upper-right corner, select Admin.
2. Select Overview > Users.
3. Select New user.
4. In the Account section, enter the required account information.
5. Optional. In the Access section, configure any project limits or user type settings.
6. Select the External checkbox.
7. Select Create user.

You can also create external users with:

• SAML groups.
• LDAP groups.
• The External providers list.
• The users API.

Make new users external by default

You can configure your instance to make all new users external by default. You can modify these user accounts later to remove the external designation.

When you configure this feature, you can also define a regular expression used to identify email addresses. New users with a matching email are excluded and not marked as an external user. This regular expression must:

• Use the Ruby format.
• Be convertible to JavaScript.
• Have the ignore case flag set (/regex pattern/i).

For example:

• \.int@example\.com$: Matches email addresses that end with [email protected].
• ^(?:(?!\.ext@example\.com).)*$\r?: Matches email address that don't include [email protected].

[!warning] Adding a regular expression can increase the risk of a regular expression denial of service (ReDoS) attack.

Prerequisites:

• You must be an administrator for the GitLab Self-Managed instance.

To make new users external by default:

1. In the upper-right corner, select Admin.
2. Select Settings > General.
3. Expand the Account and limit section.
4. Select the Make new users external by default checkbox.
5. Optional. In the Email exclusion pattern field, enter a regular expression.
6. Select Save changes.