doc/administration/settings/sign_up_restrictions.md
{{< details >}}
{{< /details >}}
You can enforce the following restrictions on new user accounts:
You must have administrator access.
By default, any user visiting your GitLab domain can create an account. For customers running public-facing GitLab instances, we highly recommend that you consider disabling new accounts if you do not expect public users to create accounts. For GitLab Dedicated, new account creation is prevented by default when your instance is provisioned.
To prevent new account creation:
You can also prevent new user accounts with the Rails console by running the following command:
::Gitlab::CurrentSettings.update!(signup_enabled: false)
This setting is enabled by default for new GitLab instances. When this setting is enabled, any user visiting your GitLab domain and signing up for a new account using the registration form must be explicitly approved by an administrator before they can start using their account. It is only applicable if user accounts are allowed.
To require administrator approval for new user accounts:
If an administrator disables this setting, the users in pending approval state are automatically approved in a background job.
[!note] This setting doesn't apply to LDAP or OmniAuth users. To enforce approvals for new users signing up using OmniAuth or LDAP, set
block_auto_created_userstotruein the OmniAuth configuration or LDAP configuration. A user cap can also be used to enforce approvals for new users.
{{< history >}}
{{< /history >}}
You can send confirmation emails upon account creation and require that users confirm their email address before they are allowed to sign in.
To enforce confirmation of the email address used for new accounts:
The following settings are available:
{{< details >}}
{{< /details >}}
{{< history >}}
{{< /history >}}
Use restricted access to prevent overage fees. Overage fees occur when you exceed the number of licensed users in your subscription, and must be paid at the next quarterly reconciliation.
When you turn on restricted access, instances cannot add new billable users when no licensed seats are left in the subscription.
[!note] If user cap is enabled for an instance or a group that has pending members, when you enable restricted access all pending members are automatically removed from the group.
Prerequisites:
To turn on restricted access:
When you turn on restricted access, the setting to prevent inviting groups outside the group hierarchy is automatically turned on. This setting prevents unexpectedly adding new billable users, which might result in overage fees.
You can still independently configure project sharing for the group and its subgroups as needed.
{{< history >}}
bso_minimal_access_fallback. Disabled by default.{{< /history >}}
When restricted access is enabled and no subscription seats are available, users provisioned through SAML, SCIM, or LDAP are assigned the Minimal Access role instead of their configured access level. This behavior ensures that synchronization can continue without consuming billable seats on GitLab.com and GitLab Self-Managed Ultimate.
Users with the Minimal Access role can authenticate and access the group, but have limited permissions. When seats become available, the users can be promoted to their intended access level. Existing users with billable roles are not affected by this behavior.
You can view seat usage and manage users with Minimal Access.
When you turn on restricted access, the following known issues might occur and result in overages:
Additionally, restricted access might block the standard non-overage flows:
{{< details >}}
{{< /details >}}
The user cap is the maximum number of billable users who can create accounts or be added to a subscription without administrator approval. After the user cap is reached, users who create accounts or are added must be approved by an administrator. Users can use their account only after they have been approved by an administrator.
If an administrator increases or removes the user cap, users pending approval are automatically approved.
The number of billable users is updated once a day.
The user cap might apply only retrospectively after the cap has already been exceeded.
If the cap is set to a value below the current number of billable users (for example, 1), the cap is enabled immediately.
You can also set up user caps for individual groups.
[!note] For instances that use LDAP or OmniAuth, when administrator approval for new user accounts is enabled or disabled, downtime might occur due to changes in the Rails configuration. You can set a user cap to enforce approvals for new users.
Prerequisites:
To set a user cap:
Remove the user cap so that the number of new users who can create accounts without administrator approval is not restricted.
After you remove the user cap, users pending approval are automatically approved.
Prerequisites:
To remove the user cap:
When you change from user cap to restricted access, all pending members (both members awaiting approval and invited members) are automatically removed. To ensure users are approved as members, you must approve or remove pending members before enabling restricted access.
By default, user passwords have a limited number of requirements. You can modify the requirements to increase the minimum length or require specific character types.
Changing the password requirements does not affect existing user passwords. Modified complexity requirements are enforced only in these situations:
To modify password complexity requirements:
In the upper-right corner, select Admin.
Select Settings > General.
Expand New user account restrictions.
Modify the complexity requirements:
| Setting | Description |
|---|---|
| Minimum password length | Sets the minimum number of characters required. Cannot be less than 8 characters or more than 128 characters. |
| Require numbers | Requires passwords to contain at least one number (0-9). Premium and Ultimate only. |
| Require uppercase letters | Requires passwords to contain at least one uppercase letter (A-Z). Premium and Ultimate only. |
| Require lowercase letters | Requires passwords to contain at least one lowercase letter (a-z). Premium and Ultimate only. |
| Require symbols | Requires passwords to contain at least one symbol. Premium and Ultimate only. |
Select Save changes.
You can specify an inclusive or exclusive list of email domains that can be used for new user accounts.
These restrictions are only applied during new account creation by an external user. An administrator can add a user through the administrator panel with a disallowed domain. The users can also change their email addresses to disallowed domains after they create an account.
You can restrict users to creating user accounts with email addresses that match the given domains list.
You can block users from signing up when using an email addresses of specific domains. This can reduce the risk of malicious users creating spam accounts with disposable email addresses.
To create an email domain allowlist or denylist:
In the upper-right corner, select Admin.
Select Settings > General.
Expand New user account restrictions.
For the allowlist, you must enter the list manually. For the denylist, you can enter the list
manually or upload a .txt file that contains list entries.
Both the allowlist and denylist accept wildcards. For example, you can use
*.company.com to accept every company.com subdomain, or *.io to block all
domains ending in .io. Domains must be separated by a whitespace,
semicolon, comma, or a new line.
You can limit GitLab access to a subset of the LDAP users on your LDAP server.
See the documentation on setting up an LDAP user filter for more information.
{{< details >}}
{{< /details >}}
{{< history >}}
member_promotion_management.member_promotion_management changed from wip to beta and enabled by default in GitLab 17.5.member_promotion_management removed in GitLab 18.0.{{< /history >}}
To prevent existing users from being promoted into a billable role in a project or group, turn on administrator approval for role promotions. You can then approve or reject promotion requests that are pending administrator approval.
Prerequisites:
To turn on approvals for role promotions:
[!note] This approval requirement does not apply to memberships granted by LDAP synchronization or SAML group links. Users who receive a role promotion through LDAP or SAML do not require administrator approval, regardless of whether they previously had a billable role.