Configure access to GitLab Duo

Tier: Free, Premium, Ultimate
Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

Introduced in GitLab 18.8.

You can turn GitLab Duo on or off for a group or restrict access to GitLab Duo for one or more groups.

Restrict access to GitLab Duo

Default No group rule introduced in GitLab 18.10.
Member access section and No group rule renamed in GitLab 18.11.

Prerequisites:

The Owner role for the top-level group.

To restrict access to GitLab Duo for a top-level group:

In the top bar, select Search or go to and find your group.
In the left sidebar, select Settings > GitLab Duo.
Select Change configuration.
Under Restrict access based on group membership, select Add group.
From the dropdown list, select a group.

When you select the first group, a default All eligible users rule is also added. You can use this rule to configure access for all other users. This rule is automatically deleted when the group has no access to GitLab Duo Non-Agentic or GitLab Duo Agent Platform and all existing groups are removed.
Select whether direct members of the group can access GitLab Duo Non-Agentic and GitLab Duo Agent Platform.
Select Save changes.

These settings apply to the following users:

Users who are direct members of one of the groups configured under Restrict access based on group membership and who execute an AI action in a project or subgroup of the top-level group.
Users who have the top-level group as the default GitLab Duo namespace and who are not members of the top-level group where the AI action is executed.

When you configure access controls, you can select only groups that are direct subgroups of the top-level group. You cannot use nested subgroups in access control rules.

Prerequisites:

Administrator access.

To restrict access to GitLab Duo for an instance:

In the upper-right corner, select Admin.
In the left sidebar, select GitLab Duo.
Select Change configuration.
Under Restrict access based on group membership:
- To add an existing group, select Add group.
- To create a new group, select Create group.
From the dropdown list, select a group.

When you select the first group, a default All eligible users rule is also added. You can use this rule to configure access for all other users. This rule is automatically deleted when the group has no access to GitLab Duo Non-Agentic or GitLab Duo Agent Platform and all existing groups are removed.
Select whether direct members of the group can access GitLab Duo Non-Agentic and GitLab Duo Agent Platform.
Select Save changes.

These settings apply to users who are direct members of one of the groups configured under Restrict access based on group membership.

When you configure access controls, you can select only top-level groups. You cannot use subgroups in access control rules.

If you do not want to manually manage group membership, you can synchronize membership by using LDAP or SAML.

Group membership

When a user is assigned to more than one group, the user has access to features from all assigned groups. For example, if a user has access to GitLab Duo Non-Agentic in group A and GitLab Duo Agent Platform in group B, the user has access to both sets of features.

If the All eligible users rule is configured, the following users can access both GitLab Duo Non-Agentic and GitLab Duo Agent Platform:

On GitLab.com: All members of the top-level group.
On GitLab Self-Managed: All users.

Additional controls (such as disabling features for the top-level group or instance) still apply.

Synchronize group membership

If you use LDAP or SAML for authentication, you can synchronize group membership automatically:

Configure your LDAP or SAML provider to include a group that represents GitLab Duo Agent Platform users.
In GitLab, ensure the group is linked to your LDAP or SAML provider.
Group membership updates automatically when users are added or removed from the provider group.

For more information, see:

Using access control

You can use access control for phased rollouts or testing and validation.

Phased rollouts

To implement a phased rollout of GitLab Duo:

Create a group for pilot users (for example, pilot-users).
Add a subset of users to this group.
Add more users to the group gradually as you validate functionality and train users.
Add all users to the group when you're ready for a full rollout.

Testing and validation

To test GitLab Duo capabilities in a controlled environment:

Create a dedicated group for testing (for example, agent-testers).
Create a test group or project.
Add test users to the agent-testers group.
Validate functionality and train users before a broader rollout.

Troubleshooting

User cannot access GitLab Duo features

A user cannot access GitLab Duo features in the following scenarios:

Access to GitLab Duo Non-Agentic or GitLab Duo Agent Platform is not configured for the group.
Access to GitLab Duo Non-Agentic or GitLab Duo Agent Platform is configured for the group, but one of the following applies:
- The user is not a direct member of the group.
- The All eligible users rule is not configured.

To resolve this issue, do one of the following:

Add the user as a direct member to one of the configured groups.
Give All eligible users access to GitLab Duo Non-Agentic or GitLab Duo Agent Platform.
Remove all group membership access rules.

In GitLab 18.8 and earlier, if you give a group access to GitLab Duo Agent Platform but not to GitLab Duo Non-Agentic, the GitLab Duo sidebar does not display for members of that group. As a workaround, ensure the group has access to both GitLab Duo Non-Agentic and GitLab Duo Agent Platform.

To resolve this issue, upgrade to GitLab 18.9 or later.