doc/user/group/access_and_permissions.md
{{< details >}}
{{< /details >}}
Configure your groups to control group permissions and access. For more information, see also Sharing projects and groups.
{{< history >}}
{{< /history >}}
You can set the permitted protocols used to access a group's repositories to either SSH, HTTPS, or both. This setting is disabled when the instance setting is configured by an administrator.
To change the permitted Git access protocols for a group:
{{< details >}}
{{< /details >}}
To ensure only people from your organization can access particular resources, you can restrict access to groups by IP address. This top-level group setting applies to:
Administrators can combine restricted access by IP address with globally-allowed IP addresses.
[!warning] IP restriction requires proper configuration of the
X-Forwarded-Forheader. To limit the risk of IP spoofing, you must overwrite, and not append, anyX-Forwarded-Forheaders sent by clients.For deployments without an upstream proxy or load balancer, configure the server that receives direct requests from users to preserve the original client IP address and overwrite any
X-Forwarded-Forheaders. In NGINX, for example, modify your configuration file to include:plaintextproxy_set_header X-Forwarded-For $remote_addr;For deployments with an upstream proxy or load balancer, configure the proxy or load balancer to preserve the original client IP address and overwrite any
X-Forwarded-Forheaders. This approach ensures that GitLab receives the full chain of IPs, starting from the original client, and can correctly evaluate the IP restrictions. In NGINX, for example, modify your configuration file to include:plaintextproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
To restrict group access by IP address:
In the top bar, select Search or go to and find your group.
Select Settings > General.
Expand the Permissions and group features section.
In the Restrict access by IP address text box, enter a list of IPv4 or IPv6 address ranges in CIDR notation:
192.168.1.0/24
10.0.0.0/8
2001:db8::/32
203.0.113.5/32
You must manually add each IP address entry. Adding multiple entries separated by a comma or space is not supported. Support for bulk entries is proposed in issue 468998.
This list:
Select Save changes.
IP access restrictions limit access to groups and projects, but are not a complete firewall. While this feature generally limits access to group and project resources, some information may still be accessible to restricted users. Keep in mind the following (non-exhaustive) list of security implications when accessing GitLab from a disallowed IP address:
gitlab-sshd with
PROXY protocol enabled.IP address-based group access restriction does not work with hosted runners for GitLab.com. These runners operate as ephemeral virtual machines with dynamic IP addresses from large cloud provider pools (AWS, Google Cloud). Allowing these broad IP ranges defeats the purpose of IP address-based access restriction.
{{< details >}}
{{< /details >}}
{{< history >}}
{{< /history >}}
You can define an email domain allowlist at the top-level namespace to restrict which users can access a group and its projects. A user's primary email domain must match an entry in the allowlist to access that group. Subgroups inherit the same allowlist.
To restrict group access by domain:
The next time you attempt to add a user to the group, their primary email must match one of the allowed domains.
You cannot restrict using the most popular public email domains, such as:
aol.com, gmail.com, hotmail.co.uk, hotmail.com,hotmail.fr, icloud.com, live.com, mail.com,me.com, msn.com, outlook.com,proton.me, protonmail.com, tutanota.com,yahoo.com, yandex.com, zohomail.comWhen you share a group, both the source and target namespaces must allow the domains of the members' email addresses.
[!note] Removing a domain from the Restrict membership by email domain list does not remove existing users with that domain from the group or its projects. Also, if you share a group or project with another group, the target group can add more email domains to its list that are not in the list of the source group. Hence, this feature does not ensure that the current members always conform to the Restrict membership by email domain list.
As a group Owner, you can prevent non-members from requesting access to your group.
[!note] Disabling the Allow users to request access setting prevents new access requests. Existing pending requests are not removed and can still be approved or denied.
{{< details >}}
{{< /details >}}
By default, projects in a group can be forked. However, you can prevent the projects in a group from being forked outside of the current top-level group.
[!note] Prevent forking outside the top-level group when possible to reduce potential avenues for bad actors. However, if you expect a lot of external collaboration, allowing forks outside the top-level group might be unavoidable.
Prerequisites:
To prevent projects from being forked outside the group:
Existing forks are not removed.
{{< details >}}
{{< /details >}}
As a group Owner, you can prevent any new project membership for all projects in a group, allowing tighter control over project membership.
For example, if you want to lock the group for an audit event, you can guarantee that project membership cannot be modified during the audit.
If group membership lock is enabled, the group Owner can still:
The setting does not cascade. Projects in subgroups observe the subgroup configuration, ignoring the parent group.
To prevent members from being added to projects in a group:
After you lock the membership for a group:
{{< details >}}
{{< /details >}}
{{< history >}}
{{< /history >}}
Group syncing allows LDAP groups to be mapped to GitLab groups. This provides more control over per-group user management. To configure group syncing, edit the group_base DN ('OU=Global Groups,OU=GitLab INT,DC=GitLab,DC=org'). This OU contains all groups that are associated with GitLab groups.
Group links can be created by using either a CN or a filter. To create these group links, go to the group's Settings > LDAP Synchronization page. After configuring the link, it may take more than an hour for the users to sync with the GitLab group. After you have configured the link:
When a user belongs to multiple LDAP groups configured for the same GitLab group, GitLab assigns them the higher of the two associated roles. For example:
Owner and Dev.Owner role as this is the higher of the two LDAP group roles.With custom roles, the same logic applies when the roles have different base access levels. For example:
Developer and Developer + admin_vulnerabilityDeveloper + admin_vulnerability as this is the higher of the two LDAP group roles.When two custom roles share the same base access level, GitLab cannot determine a higher role by rank alone. Instead, the custom role from the earliest-created group link takes precedence. For example:
Developer + admin_vulnerability and Developer + admin_merge_requestDeveloper base access level.For more information on the administration of LDAP and group sync, refer to the main LDAP documentation.
[!note] When you add LDAP group syncing, if an LDAP user is a group member and they are not part of the LDAP group, they are removed from the group.
You can use a workaround to manage project access through LDAP groups.
To create group links with LDAP group CN:
<!-- vale gitlab_base.Spelling = NO -->LDAP Group cn.group_base. Select your CN from this list.GitLab begins linking the role to any matching LDAP users. This process may take over an hour to complete.
<!-- vale gitlab_base.Spelling = YES -->To create group links with an LDAP user filter:
LDAP user filter.GitLab begins linking the role to any matching LDAP users. This process may take over an hour to complete.
[!note] When you remove LDAP group syncing, the existing memberships and role assignment are retained.
LDAP user permissions can be manually overridden by an administrator. To override a user's permissions:
Now you can edit the user's permissions from the Members page.
{{< history >}}
{{< /history >}}
This group setting controls the default value of the minimum role allowed to run a new pipeline with pipeline variables project setting. New projects created in the group have this value selected by default.
Prerequisites:
To set the default minimum role:
After a new project is created, project members with the Maintainer or Owner role can change the project setting to another value if needed.
If a user sees a 404 error when they try to access a specific group, their access might be blocked by an IP restriction.
Search the auth.log rails log for one or more of the following entries:
json.message: 'Attempting to access IP restricted group'json.allowed: falseIn viewing the log entries, compare remote.ip with the list of allowed IP addresses for the group.
If a group Owner cannot update permissions for a group member, check which memberships are listed. Group Owners can only update direct memberships.
Members added directly to a subgroup are still considered inherited members if they have the same or a higher role in the parent group.
To view and update direct memberships, filter the group to show direct members.
Issue 337539 proposes a redesigned members page that lists both direct and indirect memberships with the ability to filter by type.
If you have issues with Git SSH operations after adding IP address restrictions, check if your connection defaults to IPv6.
Some operating systems prioritize IPv6 over IPv4 when both are available, which might not be obvious from the Git terminal feedback.
If your connection uses IPv6, you can resolve this issue by adding the IPv6 address to the allowlist.