Add latest changes from gitlab-org/gitlab@master

12 files changed, 98 insertions, 90 deletions

diff --git a/doc/administration/auth/ldap/ldap_synchronization.md b/doc/administration/auth/ldap/ldap_synchronization.md
index 02b04861844..37b43245f3a 100644
--- a/doc/administration/auth/ldap/ldap_synchronization.md
+++ b/doc/administration/auth/ldap/ldap_synchronization.md
@@ -243,7 +243,7 @@ sync to run once every two hours at the top of the hour.
 ### External groups
 
 Using the `external_groups` setting allows you to mark all users belonging
-to these groups as [external users](../../../user/permissions.md#external-users).
+to these groups as [external users](../../../user/admin_area/external_users.md).
 Group membership is checked periodically through the `LdapGroupSync` background
 task.
 
diff --git a/doc/administration/monitoring/gitlab_self_monitoring_project/index.md b/doc/administration/monitoring/gitlab_self_monitoring_project/index.md
index 35dc64a0594..566bc070347 100644
--- a/doc/administration/monitoring/gitlab_self_monitoring_project/index.md
+++ b/doc/administration/monitoring/gitlab_self_monitoring_project/index.md
@@ -101,7 +101,7 @@ You can add custom metrics in the self-monitoring project by:
 
 A [bug](https://gitlab.com/gitlab-org/gitlab/-/issues/208676) causes project creation to fail with
 the following error in the log file when the first administrator user is an
-[external user](../../../user/permissions.md#external-users):
+[external user](../../../user/admin_area/external_users.md):
 
 ```plaintext
 Could not create instance administrators group. Errors: ["You don't have permission to create groups."]
@@ -116,6 +116,6 @@ User.admins.active.first.external?
 If this returns true, the first administrator user is an external user.
 
 If you face this issue, you can temporarily
-[make the administrator user a non-external user](../../../user/permissions.md#external-users)
+[make the administrator user a non-external user](../../../user/admin_area/external_users.md)
 and then try to create the project.
 After the project is created, the administrator user can be changed back to an external user.
diff --git a/doc/api/project_snippets.md b/doc/api/project_snippets.md
index 29d3b38f977..afb7519d5f3 100644
--- a/doc/api/project_snippets.md
+++ b/doc/api/project_snippets.md
@@ -16,7 +16,7 @@ Constants for snippet visibility levels are:
 | visibility | Description |
 | ---------- | ----------- |
 | `private`  | The snippet is visible only to project members |
-| `internal` | The snippet is visible for any logged in user except [external users](../user/permissions.md#external-users) |
+| `internal` | The snippet is visible for any logged in user except [external users](../user/admin_area/external_users.md) |
 | `public`   | The snippet can be accessed without any authentication |
 
 NOTE:
diff --git a/doc/api/projects.md b/doc/api/projects.md
index 82a3388053f..2800ccfee93 100644
--- a/doc/api/projects.md
+++ b/doc/api/projects.md
@@ -16,7 +16,7 @@ The visibility level is determined by the `visibility` field in the project.
 Values for the project visibility level are:
 
 - `private`: project access must be granted explicitly to each user.
-- `internal`: the project can be cloned by any signed-in user except [external users](../user/permissions.md#external-users).
+- `internal`: the project can be cloned by any signed-in user except [external users](../user/admin_area/external_users.md).
 - `public`: the project can be accessed without any authentication.
 
 For more, read [Project visibility](../user/public_access.md).
diff --git a/doc/api/snippets.md b/doc/api/snippets.md
index 593985b5d5f..c312642a450 100644
--- a/doc/api/snippets.md
+++ b/doc/api/snippets.md
@@ -20,7 +20,7 @@ Valid values for snippet visibility levels are:
 | Visibility | Description                                         |
 |:-----------|:----------------------------------------------------|
 | `private`  | Snippet is visible only to the snippet creator.     |
-| `internal` | Snippet is visible for any logged in user except [external users](../user/permissions.md#external-users).          |
+| `internal` | Snippet is visible for any logged in user except [external users](../user/admin_area/external_users.md).          |
 | `public`   | Snippet can be accessed without any authentication. |
 
 ## List all snippets for a user
diff --git a/doc/ci/pipelines/index.md b/doc/ci/pipelines/index.md
index f75c084dd83..2126997e25f 100644
--- a/doc/ci/pipelines/index.md
+++ b/doc/ci/pipelines/index.md
@@ -190,7 +190,8 @@ In this example:
 
 ##### Configure a list of selectable values for a prefilled variable
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363660) in GitLab 15.5 [with a flag](../../administration/feature_flags.md) named `run_pipeline_graphql`. Disabled by default.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363660) in GitLab 15.5 [with a flag](../../administration/feature_flags.md) named `run_pipeline_graphql`. Disabled by default.
+> - The `options` keyword was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/105502) in GitLab 15.7.
 
 FLAG:
 On self-managed GitLab, by default this feature is not available. To make it available,
@@ -198,15 +199,17 @@ ask an administrator to [enable the feature flag](../../administration/feature_f
 The feature is not ready for production use.
 
 You can define an array of CI/CD variable values the user can select from when running a pipeline manually.
-These values are in a dropdown list in the **Run pipeline** page. The first value
-in the array is the value selected by default.
+These values are in a dropdown list in the **Run pipeline** page. Add the list of
+value options to `options` and set the default value with `value`. The string in `value`
+must also be included in the `options` list.
 
 For example:
 
 ```yaml
 variables:
   DEPLOY_ENVIRONMENT:
-    value:
+    value: "staging"
+    options:
       - "production"
       - "staging"
       - "canary"
diff --git a/doc/ci/pipelines/settings.md b/doc/ci/pipelines/settings.md
index e99644fb6ee..423ee31dec4 100644
--- a/doc/ci/pipelines/settings.md
+++ b/doc/ci/pipelines/settings.md
@@ -32,7 +32,7 @@ To change the visibility of your pipelines and related features:
    When it is selected, pipelines and related features are visible:
 
    - For [**Public**](../../user/public_access.md) projects, to everyone.
-   - For **Internal** projects, to all logged-in users except [external users](../../user/permissions.md#external-users).
+   - For **Internal** projects, to all logged-in users except [external users](../../user/admin_area/external_users.md).
    - For **Private** projects, to all project members (Guest or higher).
 
    When it is cleared:
@@ -41,7 +41,7 @@ To change the visibility of your pipelines and related features:
      and the **CI/CD** menu items are visible only to project members (Reporter or higher).
      Other users, including guest users, can only view the status of pipelines and jobs, and only
      when viewing merge requests or commits.
-   - For **Internal** projects, pipelines are visible to all logged in users except [external users](../../user/permissions.md#external-users).
+   - For **Internal** projects, pipelines are visible to all logged in users except [external users](../../user/admin_area/external_users.md).
      Related features are visible only to project members (Reporter or higher).
    - For **Private** projects, pipelines and related features are visible to project members (Reporter or higher) only.
 
diff --git a/doc/integration/saml.md b/doc/integration/saml.md
index b431d85cf3f..0106f04d204 100644
--- a/doc/integration/saml.md
+++ b/doc/integration/saml.md
@@ -281,7 +281,7 @@ for a full list of supported assertions.
 
 ## SAML Groups
 
-You can require users to be members of a certain group, or assign users [external](../user/permissions.md#external-users), administrator or [auditor](../user/permissions.md#auditor-users) roles based on group membership.
+You can require users to be members of a certain group, or assign users [external](../user/admin_area/external_users.md), administrator or [auditor](../user/permissions.md#auditor-users) roles based on group membership.
 These groups are checked on each SAML login and user attributes updated as necessary.
 This feature **does not** allow you to
 automatically add users to GitLab [Groups](../user/group/index.md).
@@ -347,7 +347,7 @@ Example:
 ### External groups
 
 SAML login supports the automatic identification of a user as an
-[external user](../user/permissions.md#external-users). This is based on the user's group
+[external user](../user/admin_area/external_users.md). This is based on the user's group
 membership in the SAML identity provider.
 
 ```yaml
diff --git a/doc/subscriptions/self_managed/index.md b/doc/subscriptions/self_managed/index.md
index 8dcec9263cc..93cf5afad63 100644
--- a/doc/subscriptions/self_managed/index.md
+++ b/doc/subscriptions/self_managed/index.md
@@ -110,7 +110,7 @@ The user must not be assigned any other role, anywhere in the instance.
 NOTE:
 If a user creates a project, they are assigned the Maintainer or Owner role.
 To prevent a user from creating projects, as an administrator, you can mark the user
-as [external](../../user/permissions.md#external-users).
+as [external](../../user/admin_area/external_users.md).
 
 ### Tips for managing users and subscription seats
 
diff --git a/doc/user/admin_area/external_users.md b/doc/user/admin_area/external_users.md
new file mode 100644
index 00000000000..8b968a3da01
--- /dev/null
+++ b/doc/user/admin_area/external_users.md
@@ -0,0 +1,77 @@
+---
+stage: Manage
+group: Authentication and Authorization
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+
+# External users **(FREE SELF)**
+
+In cases where it is desired that a user has access only to some internal or
+private projects, there is the option of creating **External Users**. This
+feature may be useful when for example a contractor is working on a given
+project and should only have access to that project.
+
+External users:
+
+- Cannot create project, groups, and snippets in their personal namespaces.
+- Can only create projects (including forks), subgroups, and snippets within top-level groups to which they are explicitly granted access.
+- Can only access public projects and projects to which they are explicitly granted access,
+  thus hiding all other internal or private ones from them (like being
+  logged out).
+- Can only access public groups and groups to which they are explicitly granted access,
+  thus hiding all other internal or private ones from them (like being
+  logged out).
+- Can only access public snippets.
+
+Access can be granted by adding the user as member to the project or group.
+Like usual users, they receive a role in the project or group with all
+the abilities that are mentioned in the [permissions table](../permissions.md#project-members-permissions).
+For example, if an external user is added as Guest, and your project is internal or
+private, they do not have access to the code; you need to grant the external
+user access at the Reporter level or above if you want them to have access to the code. You should
+always take into account the
+[project's visibility and permissions settings](../project/settings/index.md#configure-project-visibility-features-and-permissions)
+as well as the permission level of the user.
+
+NOTE:
+External users still count towards a license seat.
+
+An administrator can flag a user as external by either of the following methods:
+
+- [Through the API](../../api/users.md#user-modification).
+- Using the GitLab UI:
+  1. On the top bar, select **Main menu > Admin**.
+  1. On the left sidebar, select **Overview > Users** to create a new user or edit an existing one.
+     There, you can find the option to flag the user as external.
+
+Additionally, users can be set as external users using:
+
+- [SAML groups](../../integration/saml.md#external-groups).
+- [LDAP groups](../../administration/auth/ldap/ldap_synchronization.md#external-groups).
+
+## Set a new user to external
+
+By default, new users are not set as external users. This behavior can be changed
+by an administrator:
+
+1. On the top bar, select **Main menu > Admin**.
+1. On the left sidebar, select **Settings > General**.
+1. Expand the **Account and limit** section.
+
+If you change the default behavior of creating new users as external, you
+have the option to narrow it down by defining a set of internal users.
+The **Internal users** field allows specifying an email address regex pattern to
+identify default internal users. New users whose email address matches the regex
+pattern are set to internal by default rather than an external collaborator.
+
+The regex pattern format is in Ruby, but it needs to be convertible to JavaScript,
+and the ignore case flag is set (`/regex pattern/i`). Here are some examples:
+
+- Use `\.internal@domain\.com$` to mark email addresses ending with
+  `.internal@domain.com` as internal.
+- Use `^(?:(?!\.ext@domain\.com).)*$\r?` to mark users with email addresses
+  not including `.ext@domain.com` as internal.
+
+WARNING:
+Be aware that this regex could lead to a
+[regular expression denial of service (ReDoS) attack](https://en.wikipedia.org/wiki/ReDoS).
diff --git a/doc/user/permissions.md b/doc/user/permissions.md
index 0d13ad1a1a1..6c0dab98529 100644
--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -230,7 +230,7 @@ The following table lists project permissions available for each role:
 <!-- markdownlint-disable MD029 -->
 
 1. On self-managed GitLab instances, guest users are able to perform this action only on
-   public and internal projects (not on private projects). [External users](#external-users)
+   public and internal projects (not on private projects). [External users](admin_area/external_users.md)
    must be given explicit access even if the project is internal. For GitLab.com, see the
    [GitLab.com visibility settings](gitlab_com/index.md#visibility-settings).
 2. Guest users can only view the [confidential issues](project/issues/confidential_issues.md) they created themselves or are assigned to.
@@ -473,78 +473,6 @@ nested groups if you have membership in one of its parents.
 To learn more, read through the documentation on
 [subgroups memberships](group/subgroups/index.md#subgroup-membership).
 
-## External users **(FREE SELF)**
-
-In cases where it is desired that a user has access only to some internal or
-private projects, there is the option of creating **External Users**. This
-feature may be useful when for example a contractor is working on a given
-project and should only have access to that project.
-
-External users:
-
-- Cannot create project, groups, and snippets in their personal namespaces.
-- Can only create projects (including forks), subgroups, and snippets within top-level groups to which they are explicitly granted access.
-- Can only access public projects and projects to which they are explicitly granted access,
-  thus hiding all other internal or private ones from them (like being
-  logged out).
-- Can only access public groups and groups to which they are explicitly granted access,
-  thus hiding all other internal or private ones from them (like being
-  logged out).
-- Can only access public snippets.
-
-Access can be granted by adding the user as member to the project or group.
-Like usual users, they receive a role in the project or group with all
-the abilities that are mentioned in the [permissions table above](#project-members-permissions).
-For example, if an external user is added as Guest, and your project is internal or
-private, they do not have access to the code; you need to grant the external
-user access at the Reporter level or above if you want them to have access to the code. You should
-always take into account the
-[project's visibility and permissions settings](project/settings/index.md#configure-project-visibility-features-and-permissions)
-as well as the permission level of the user.
-
-NOTE:
-External users still count towards a license seat.
-
-An administrator can flag a user as external by either of the following methods:
-
-- [Through the API](../api/users.md#user-modification).
-- Using the GitLab UI:
-  1. On the top bar, select **Main menu > Admin**.
-  1. On the left sidebar, select **Overview > Users** to create a new user or edit an existing one.
-     There, you can find the option to flag the user as external.
-
-Additionally, users can be set as external users using:
-
-- [SAML groups](../integration/saml.md#external-groups).
-- [LDAP groups](../administration/auth/ldap/ldap_synchronization.md#external-groups).
-
-### Setting new users to external
-
-By default, new users are not set as external users. This behavior can be changed
-by an administrator:
-
-1. On the top bar, select **Main menu > Admin**.
-1. On the left sidebar, select **Settings > General**.
-1. Expand the **Account and limit** section.
-
-If you change the default behavior of creating new users as external, you
-have the option to narrow it down by defining a set of internal users.
-The **Internal users** field allows specifying an email address regex pattern to
-identify default internal users. New users whose email address matches the regex
-pattern are set to internal by default rather than an external collaborator.
-
-The regex pattern format is in Ruby, but it needs to be convertible to JavaScript,
-and the ignore case flag is set (`/regex pattern/i`). Here are some examples:
-
-- Use `\.internal@domain\.com$` to mark email addresses ending with
-  `.internal@domain.com` as internal.
-- Use `^(?:(?!\.ext@domain\.com).)*$\r?` to mark users with email addresses
-  not including `.ext@domain.com` as internal.
-
-WARNING:
-Be aware that this regex could lead to a
-[regular expression denial of service (ReDoS) attack](https://en.wikipedia.org/wiki/ReDoS).
-
 ## Auditor users **(PREMIUM SELF)**
 
 Auditor users are given read-only access to all projects, groups, and other
diff --git a/doc/user/public_access.md b/doc/user/public_access.md
index 46d96988169..71e8f017bd1 100644
--- a/doc/user/public_access.md
+++ b/doc/user/public_access.md
@@ -41,13 +41,13 @@ is restricted, `/public` is visible only to signed-in users.
 ## Internal projects and groups **(FREE SELF)**
 
 Internal projects can be cloned by any signed-in user except
-[external users](permissions.md#external-users).
+[external users](admin_area/external_users.md).
 
 They are also listed in the public access directory (`/public`), but only for signed-in users.
 
 Internal groups can have internal or private subgroups.
 
-Any signed-in users except [external users](permissions.md#external-users) have the
+Any signed-in users except [external users](admin_area/external_users.md) have the
 Guest role on the repository.
 
 NOTE: