doc/administration/settings/account_and_limit_settings.md
{{< details >}}
{{< /details >}}
GitLab administrators can configure project and account limits on their instance, like:
You can configure the default maximum number of projects new users can create in their personal namespace. This limit affects only new user accounts created after you change the setting. This setting is not retroactive for existing users, but you can separately edit the project limits for existing users.
To configure the maximum number of projects in personal namespaces for new users:
If you set Default projects limit to 0, users are not allowed to create projects in their user's personal namespace. However, projects can still be created in a group.
You can edit a specific user, and change the maximum number of projects this user can create in their personal namespace:
The maximum file size for attachments in GitLab comments and replies is 100 MB. To change the maximum attachment size:
If you choose a size larger than the configured value for the web server, you may receive errors. For more information, see the troubleshooting section.
For GitLab.com repository size limits, see accounts and limit settings.
You can change the maximum push size for your instance:
For GitLab.com push size limits, see accounts and limit settings.
[!note] When you add files to a repository through the web UI, the maximum attachment size is the limiting factor. This happens because the web server must receive the file before GitLab can generate the commit. Use Git LFS to add large files to a repository. This setting does not apply when pushing Git LFS objects.
{{< details >}}
{{< /details >}}
Repositories in your GitLab instance can grow quickly, especially if you are using LFS. Their size can grow exponentially, rapidly consuming available storage. To prevent this from happening, you can set a hard limit for your repositories' size. This limit can be set globally, per group, or per project, with per project limits taking the highest priority.
The repository size limit applies to both private and public projects. It includes repository files and Git LFS objects (even when stored in external object storage), but does not include:
Numerous use cases exist where you might set up a limit for repository size. For instance, consider the following workflow:
On GitLab Self-Managed and GitLab Dedicated, only a GitLab administrator can set those limits. Setting the limit to 0 means
there are no restrictions. For GitLab.com repository size limits, see
accounts and limit settings.
These settings can be found in:
The first push of a new project, including LFS objects, is checked for size. If the sum of their sizes exceeds the maximum allowed repository size, the push is rejected.
To determine if a project is nearing its configured repository size limit:
You can also use the Projects API to retrieve repository statistics.
To reduce repository size, see methods to reduce repository size.
You can change how long users can remain signed in without activity.
[!warning] Setting Session duration (minutes) to
0breaks your GitLab instance. For more information, see issue 19469.
[!note] For GitLab Dedicated, submit a support ticket to request a restart of your instance.
If the Remember me option is enabled, users' sessions can remain active for an indefinite period of time.
For details, see cookies used for sign-in.
{{< history >}}
session_expire_from_init. Enabled by default.session_expire_from_init removed.{{< /history >}}
By default, sessions expire a set amount of time after the session becomes inactive. Instead, you can configure sessions to expire a set amount of time after the session is created.
When the session duration is met, the session ends and the user is signed out even if:
After a session ends, a window prompts the user to sign in again.
{{< history >}}
{{< /history >}}
Users can select the Remember me checkbox on sign-in. Their session remains active for an indefinite period of time when accessed from that specific browser. Turn off this setting to expire sessions for security or compliance purposes. Turning off this setting ensures users' sessions expire after the number of minutes of inactivity set when you customize your session duration.
{{< details >}}
{{< /details >}}
<!-- The history line is too old, but must remain until `feature_flags/development/two_factor_for_cli.yml` is removed -->{{< history >}}
two_factor_for_cli. Disabled by default. This feature flag also affects 2FA for Git over SSH operations.{{< /history >}}
[!flag] The availability of this feature is controlled by a feature flag. For more information, see the history. This feature is not ready for production use.
GitLab administrators can choose to customize the session duration (in minutes) for Git operations when 2FA is enabled. The default is 15 and this can be set to a value between 1 and 10080.
To set a limit on how long these sessions are valid:
{{< details >}}
{{< /details >}}
{{< history >}}
allow_top_level_group_owners_to_create_service_accounts for GitLab Self-Managed. Disabled by default.allow_top_level_group_owners_to_create_service_accounts removed.{{< /history >}}
By default, only administrators can create service accounts. You can configure GitLab to also allow top-level group Owners to create service accounts.
Prerequisites:
To allow top-level group Owners to create service accounts:
{{< details >}}
{{< /details >}}
{{< history >}}
{{< /history >}}
Prerequisites:
You can require all new access tokens to have an expiration date. This setting is turned on by default and applies to:
For personal access tokens for service accounts, use the service_access_tokens_expiration_enforced
setting in the Application settings API.
To require expiration dates for new access tokens:
When you require expiration dates for new access tokens:
{{< details >}}
{{< /details >}}
By default, GitLab deletes group and project access tokens and their token family 30 days after the last active token in the token family becomes inactive. This deletion removes all tokens in the token family, the associated bot user, and moves any bot contributions to a ghost user.
Prerequisites:
To modify the retention period for inactive tokens:
You can also use the application settings API to modify the inactive_resource_access_tokens_delete_after_days attribute.
You can specify a prefix for personal access tokens. Benefits of using a custom prefix include:
The default prefix for personal access tokens is glpat- but administrators can change it.
Project access tokens and
group access tokens also inherit this prefix.
[!warning] By default, client-side secret detection, secret push protection, and pipeline secret detection do not detect tokens that have a custom prefix. This might result in an increase in false negatives. However, you can customize pipeline secret detection to detect these tokens.
To change the default global prefix:
You can also configure the prefix by using the settings API.
{{< history >}}
custom_prefix_for_all_token_types. Disabled by default.{{< /history >}}
[!flag] The availability of this feature is controlled by a feature flag. For more information, see the history. This feature is available for testing, but not ready for production use.
You can set a custom prefix that is prepended to all tokens generated on your instance. Benefits of using a custom prefix include:
[!warning] By default, client-side secret detection, secret push protection, and pipeline secret detection do not detect tokens that have a custom prefix. This might result in an increase in false negatives. However, you can customize pipeline secret detection to detect these tokens.
Custom token prefixes apply only to the following tokens:
Prerequisites:
To set a custom token prefix:
{{< details >}}
{{< /details >}}
{{< history >}}
buffered_token_expiration_limit. Disabled by default.{{< /history >}}
[!flag] The availability of the extended maximum allowable lifetime limit is controlled by a feature flag. For more information, see the history. The feature flag is not available on GitLab Dedicated.
Users can optionally specify a maximum lifetime in days for access tokens, this includes personal, group, and project access tokens. This lifetime is not a requirement, and can be set to any value greater than 0 and less than or equal to:
buffered_token_expiration_limit feature flag.
This extended limit is not available on GitLab Dedicated.If this setting is left blank, the default allowable lifetime of access tokens is:
buffered_token_expiration_limit feature flag.
This extended limit is not available on GitLab Dedicated.Access tokens are the only tokens needed for programmatic access to GitLab. However, organizations with security requirements may want to enforce more protection by requiring the regular rotation of these tokens.
Only a GitLab administrator can set a lifetime. Leaving it empty means there are no restrictions.
To set a lifetime on how long access tokens are valid:
After a lifetime for access tokens is set, GitLab:
{{< details >}}
{{< /details >}}
Users can optionally specify a lifetime for SSH keys. This lifetime is not a requirement, and can be set to any arbitrary number of days.
SSH keys are user credentials to access GitLab. However, organizations with security requirements may want to enforce more protection by requiring the regular rotation of these keys.
Only a GitLab administrator can set a lifetime. Leaving it empty means there are no restrictions.
To set a lifetime on how long SSH keys are valid:
After a lifetime for SSH keys is set, GitLab:
buffered_token_expiration_limit feature flag.
This extended limit is not available on GitLab Dedicated.[!note] When a user's SSH key becomes invalid they can delete and re-add the same key again.
{{< details >}}
{{< /details >}}
Prerequisites:
The User OAuth applications setting controls whether users can register applications to use GitLab as an OAuth provider. This setting affects OAuth applications owned by users, but does not affect OAuth applications owned by groups.
To turn the User OAuth applications setting on or off:
{{< details >}}
{{< /details >}}
{{< history >}}
{{< /history >}}
Prerequisites:
The OAuth authorizations setting controls whether users can use the OAuth resource owner password credentials flow to authorize themselves without client credentials.
To turn this setting on or off:
{{< details >}}
{{< /details >}}
To maintain integrity of user details in audit events, GitLab administrators can prevent users from changing their profile name.
To do this:
When selected, GitLab administrators can still update usernames in the Admin area or the API.
{{< details >}}
{{< /details >}}
{{< history >}}
ui_for_organizations. Disabled by default.{{< /history >}}
[!flag] On GitLab Self-Managed, by default this feature is not available. To make it available, an administrator can enable the feature flag named
ui_for_organizations. On GitLab.com and GitLab Dedicated, this feature is not available. This feature is not ready for production use.
By default, users can create organizations. GitLab administrators can prevent users from creating organizations.
By default, new users can create top-level groups. GitLab administrators can prevent new users from creating top-level groups:
[!note] This setting applies only to users added after you turn off the setting. Existing users can still create top-level groups.
{{< history >}}
{{< /history >}}
By default, users with the Guest role can create projects and groups. GitLab administrators can prevent this behavior:
{{< details >}}
{{< /details >}}
{{< history >}}
disallow_private_profiles. Disabled by default.disallow_private_profiles removed.{{< /history >}}
By default, users can make their profiles private. GitLab administrators can disable this setting to require all user profiles to be public. This setting does not affect internal users (sometimes referred to as "bots").
To prevent users from making their profiles private:
When you turn off this setting:
When you re-enable this setting, the user's previously set profile visibility is selected.
By default, newly created users have a public profile. GitLab administrators can set new users to have a private profile by default:
[!note] If Allow users to make their profiles private is disabled, this setting is also disabled.
{{< details >}}
{{< /details >}}
{{< history >}}
deleting_account_disabled_for_users. Enabled by default.{{< /history >}}
By default, users can delete their own accounts. GitLab administrators can prevent users from deleting their own accounts:
{{< details >}}
{{< /details >}}
When attaching a file to a comment or reply in GitLab, the max attachment size is probably larger than the web server's allowed value.
To increase the max attachment size to 200 MB in a Linux package install:
Add this line to /etc/gitlab/gitlab.rb:
nginx['client_max_body_size'] = "200m"
Increase the max attachment size.
If you receive intermittent push errors in your Rails exceptions log, like this:
Your push to this repository cannot be completed because this repository has exceeded the allocated storage for your project.
Housekeeping tasks may be causing your repository size to grow. To resolve this problem, either of these options helps in the short- to middle-term: