doc/administration/moderate_users.md
{{< details >}}
{{< /details >}}
If you are an instance administrator, you have several options to moderate and control user access.
[!note] This topic is specifically related to user moderation in GitLab Self-Managed. For information related to groups, see the group documentation.
To view all the users in your instance:
Select a user to view their account information.
{{< history >}}
{{< /history >}}
Established GitLab instances can often have large numbers of human and bot users. You can filter the list of users to display only human or bot users.
To view users by type:
You can view and update the billable users in your instance through the Rails console.
To get a list of daily and historical billable users in your GitLab instance:
Count the number of users in the instance:
User.billable.count
Get the historical maximum number of users on the instance from the past year:
::HistoricalData.max_historical_user_count(from: 1.year.ago.beginning_of_day, to: Time.current.end_of_day)
To trigger a manual update of the daily and historical billable users in your GitLab instance:
Force an update of the daily billable users:
identifier = Analytics::UsageTrends::Measurement.identifiers[:billable_users]
::Analytics::UsageTrends::CounterJobWorker.new.perform(identifier, User.minimum(:id), User.maximum(:id), Time.zone.now)
Force an update of the historical max billable users:
::HistoricalDataWorker.new.perform
A user in a pending approval state requires action by an administrator. A user sign up can be in a pending approval state because an administrator has enabled any of the following options:
When a user registers for an account while this setting is enabled:
A user pending approval:
An administrator must approve their sign up to allow them to sign in.
{{< history >}}
{{< /history >}}
To view user sign ups pending approval:
{{< history >}}
{{< /history >}}
A user sign up pending approval can be approved or rejected from the Admin area.
To approve or reject a user sign up:
Approving a user:
Rejecting a user:
If administrator approval for role promotions is turned on, membership requests that promote existing users into a billable role require administrator approval.
To view users pending role promotion:
A list of users with the highest role requested is displayed. You can Approve or Reject the requests.
GitLab administrators can block and unblock users. You should block a user when you don't want them to access the instance, but you want to retain their data.
A blocked user:
Prerequisites:
You can block a user's access to the instance.
To block a user:
To report abuse from other users, see report abuse. For more information on abuse reports in the Admin area, see resolving abuse reports.
{{< history >}}
{{< /history >}}
You can unblock a user so they regain access to the instance.
To unblock a user:
The user's state is set to active and they consume a seat.
[!note] Users can also be unblocked using the GitLab API.
The unblock option may be unavailable for LDAP users. To enable the unblock option, the LDAP identity first needs to be deleted:
GitLab administrators can deactivate and reactivate users. You should deactivate a user if they have no recent activity, and you do not want them to occupy a seat on the instance.
A deactivated user:
When you deactivate a user, their projects, groups, and history remain.
Prerequisites:
To deactivate a user:
The user receives an email notification that their account has been deactivated. After this email, they no longer receive notifications. For more information, see user deactivation emails.
To deactivate users with the GitLab API, see deactivate user. For information about permanent user restrictions, see block and unblock users.
To remove a user from a GitLab.com subscription, see Remove users from your subscription.
{{< history >}}
{{< /history >}}
Administrators can enable automatic deactivation of users who either:
To automatically deactivate dormant members:
When this feature is enabled, GitLab runs a daily job to deactivate the dormant users.
A maximum of 100,000 users can be deactivated per day.
By default, users receive an email notification when their account is deactivated. You can disable user deactivation emails.
[!note] GitLab generated bots are excluded from the automatic deactivation of dormant users.
{{< details >}}
{{< /details >}}
{{< history >}}
delete_unconfirmed_users_setting. Disabled by default.{{< /history >}}
Prerequisites:
You can enable automatic deletion of users who both:
You can configure these settings using either the Settings API or in a Rails console:
Gitlab::CurrentSettings.update(delete_unconfirmed_users: true)
Gitlab::CurrentSettings.update(unconfirmed_users_delete_after_days: 365)
When the delete_unconfirmed_users setting is enabled, GitLab runs a job once an hour to delete the unconfirmed users.
The job only deletes users who signed up more than unconfirmed_users_delete_after_days days in the past.
This job only runs when the email_confirmation_setting is set to soft or hard.
A maximum of 240,000 users can be deleted per day.
{{< history >}}
{{< /history >}}
To reactivate a user:
The user's state is set to active and they consume a seat.
[!note] A deactivated user can also reactivate their account themselves by logging back in through the UI. Users can also be reactivated using the GitLab API.
{{< history >}}
hide_merge_requests_from_banned_users. Disabled by default.hidden_notes. Disabled by default.hide_projects_of_banned_users. Disabled by default.hide_merge_requests_from_banned_users removed.{{< /history >}}
GitLab administrators can ban and unban users. You should ban a user when you want to block them and hide their activity from the instance.
A banned user:
You can ban a user to block them and hide their contributions.
To ban a user:
{{< history >}}
{{< /history >}}
To unban a user:
The user's state is set to active and they consume a seat.
To delete a user:
[!note] You can only delete a user if they are an inherited or direct owner of a group. You cannot delete a user if they are the only group owner.
{{< history >}}
{{< /history >}}
By default, users are not trusted and are blocked from creating issues, notes, and snippets considered to be spam. When you trust a user, they can create issues, notes, and snippets without being blocked.
To trust a user:
To untrust a user:
{{< details >}}
{{< /details >}}
When moderating users, you may need to perform bulk actions on them based on certain conditions. The following rails console scripts show some examples of this. You may start a rails console session and use scripts similar to the following:
Administrators can deactivate users that have no recent activity.
[!warning] Commands that change data can cause damage if not run correctly or under the right conditions. Always run commands in a test environment first and have a backup instance ready to restore.
days_inactive = 90
inactive_users = User.active.where("last_activity_on <= ?", days_inactive.days.ago)
inactive_users.each do |user|
puts "user '#{user.username}': #{user.last_activity_on}"
user.deactivate!
end
Administrators can block users that have no recent activity.
[!warning] Commands that change data can cause damage if not run correctly or under the right conditions. Always run commands in a test environment first and have a backup instance ready to restore.
days_inactive = 90
inactive_users = User.active.where("last_activity_on <= ?", days_inactive.days.ago)
inactive_users.each do |user|
puts "user '#{user.username}': #{user.last_activity_on}"
user.block!
end
Administrators can block or delete users that have no projects or groups.
[!warning] Commands that change data can cause damage if not run correctly or under the right conditions. Always run commands in a test environment first and have a backup instance ready to restore.
users = User.where('id NOT IN (select distinct(user_id) from project_authorizations)')
# How many users are removed?
users.count
# If that count looks sane:
# You can either block the users:
users.each { |user| user.blocked? ? nil : user.block! }
# Or you can delete them:
# need 'current user' (your user) for auditing purposes
current_user = User.find_by(username: '<your username>')
users.each do |user|
DeleteUserWorker.perform_async(current_user.id, user.id)
end