diff options
Diffstat (limited to 'doc/user/admin_area/settings')
18 files changed, 109 insertions, 74 deletions
diff --git a/doc/user/admin_area/settings/account_and_limit_settings.md b/doc/user/admin_area/settings/account_and_limit_settings.md index cd1f20a2f4e..44a6bbb9d8e 100644 --- a/doc/user/admin_area/settings/account_and_limit_settings.md +++ b/doc/user/admin_area/settings/account_and_limit_settings.md @@ -259,18 +259,6 @@ Once a lifetime for access tokens is set, GitLab: allowed lifetime. Three hours is given to allow administrators to change the allowed lifetime, or remove it, before revocation takes place. -<!-- start_remove The following content will be removed on remove_date: '2022-08-22' --> -## Allow expired access tokens to be used (removed) **(ULTIMATE SELF)** - -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214723) in GitLab 13.1. -> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/296881) in GitLab 13.9. -> - [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/351962) in GitLab 14.8. -> - [Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/351962) in GitLab 15.0. - -This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/351962) in GitLab 14.8. -This feature was [removed](https://gitlab.com/gitlab-org/gitlab/-/issues/351962) in GitLab 15.0. -<!-- end_remove --> - ## Disable user profile name changes **(PREMIUM SELF)** > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/24605) in GitLab 12.7. @@ -288,11 +276,11 @@ When this ability is disabled, GitLab administrators can still use the [Admin Area](../index.md#administering-users) or the [API](../../../api/users.md#user-modification) to update usernames. -## Prevent users from creating top-level groups +## Prevent new users from creating top-level groups > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/367754) in GitLab 15.5. -By default, new users can create top-level groups. GitLab administrators can prevent users from creating top-level groups: +By default, new users can create top-level groups. GitLab administrators can prevent new users from creating top-level groups: - In GitLab 15.5 and later, using either: - The GitLab UI using the steps in this section. @@ -301,7 +289,7 @@ By default, new users can create top-level groups. GitLab administrators can pre 1. On the top bar, select **Main menu > Admin**. 1. On the left sidebar, select **Settings > General**, then expand **Account and limit**. -1. Clear the **Allow users to create top-level groups** checkbox. +1. Clear the **Allow new users to create top-level groups** checkbox. ## Troubleshooting diff --git a/doc/user/admin_area/settings/continuous_integration.md b/doc/user/admin_area/settings/continuous_integration.md index afc9a006b39..adca9c85af1 100644 --- a/doc/user/admin_area/settings/continuous_integration.md +++ b/doc/user/admin_area/settings/continuous_integration.md @@ -20,10 +20,10 @@ for all projects: 1. Check (or uncheck to disable) the box that says **Default to Auto DevOps pipeline for all projects**. 1. Optionally, set up the [Auto DevOps base domain](../../../topics/autodevops/requirements.md#auto-devops-base-domain) which is used for Auto Deploy and Auto Review Apps. -1. Hit **Save changes** for the changes to take effect. +1. Select **Save changes** for the changes to take effect. From now on, every existing project and newly created ones that don't have a -`.gitlab-ci.yml`, uses the Auto DevOps pipelines. +`.gitlab-ci.yml` use the Auto DevOps pipelines. If you want to disable it for a specific project, you can do so in [its settings](../../../topics/autodevops/index.md#enable-or-disable-auto-devops). @@ -71,7 +71,7 @@ runner settings: To view the rendered details: 1. On the top bar, select **Main menu**, and: - - For a project, select ***Projects** and find your project. + - For a project, select **Projects** and find your project. - For a group, select **Groups** and find your group. 1. On the left sidebar, select **Settings > CI/CD**. 1. Expand **Runners**. @@ -132,7 +132,7 @@ NOTE: Any changes to this setting applies to new artifacts only. The expiration time is not be updated for artifacts created before this setting was changed. The administrator may need to manually search for and expire previously-created -artifacts, as described in the [troubleshooting documentation](../../../administration/troubleshooting/gitlab_rails_cheat_sheet.md#remove-artifacts-more-than-a-week-old). +artifacts, as described in the [troubleshooting documentation](../../../administration/job_artifacts.md#delete-job-artifacts-from-jobs-completed-before-a-specific-date). ## Keep the latest artifacts for all jobs in the latest successful pipelines @@ -174,7 +174,7 @@ To set the duration for which the jobs are considered as old and expired: 1. On the left sidebar, select **Settings > CI/CD**. 1. Expand the **Continuous Integration and Deployment** section. 1. Set the value of **Archive jobs**. -1. Hit **Save changes** for the changes to take effect. +1. Select **Save changes** for the changes to take effect. After that time passes, the jobs are archived in the background and no longer able to be retried. Make it empty to never expire jobs. It has to be no less than 1 day, @@ -201,7 +201,7 @@ of your GitLab instance (`.gitlab-ci.yml` if not set): 1. On the top bar, select **Main menu > Admin**. 1. On the left sidebar, select **Settings > CI/CD**. 1. Input the new file and path in the **Default CI/CD configuration file** field. -1. Hit **Save changes** for the changes to take effect. +1. Select **Save changes** for the changes to take effect. It is also possible to specify a [custom CI/CD configuration file for a specific project](../../../ci/pipelines/settings.md#specify-a-custom-cicd-configuration-file). @@ -244,7 +244,7 @@ To enable or disable the banner: > [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/352316) from GitLab Premium to GitLab Ultimate in 15.0. NOTE: -An alternative [compliance solution](../../group/manage.md#configure-a-compliance-pipeline) +An alternative [compliance solution](../../group/compliance_frameworks.md#configure-a-compliance-pipeline) is available. We recommend this alternative solution because it provides greater flexibility, allowing required pipelines to be assigned to specific compliance framework labels. @@ -272,7 +272,7 @@ To select a CI/CD template for the required pipeline configuration: 1. On the top bar, select **Main menu > Admin**. 1. On the left sidebar, select **Settings > CI/CD**. 1. Expand the **Required pipeline configuration** section. -1. Select a CI/CD template from the dropdown. +1. Select a CI/CD template from the dropdown list. 1. Select **Save changes**. ## Package Registry configuration diff --git a/doc/user/admin_area/settings/deprecated_api_rate_limits.md b/doc/user/admin_area/settings/deprecated_api_rate_limits.md index 279cac95fc9..8bf0ffd21a5 100644 --- a/doc/user/admin_area/settings/deprecated_api_rate_limits.md +++ b/doc/user/admin_area/settings/deprecated_api_rate_limits.md @@ -40,10 +40,10 @@ To override the general user and IP rate limits for requests to deprecated API e 1. Select the checkboxes for the types of rate limits you want to enable: - **Unauthenticated API request rate limit** - **Authenticated API request rate limit** -1. _If you enabled unauthenticated API request rate limits:_ +1. If you selected **unauthenticated**: 1. Select the **Maximum unauthenticated API requests per period per IP**. 1. Select the **Unauthenticated API rate limit period in seconds**. -1. _If you enabled authenticated API request rate limits:_ +1. If you selected **authenticated**: 1. Select the **Maximum authenticated API requests per period per user**. 1. Select the **Authenticated API rate limit period in seconds**. diff --git a/doc/user/admin_area/settings/email.md b/doc/user/admin_area/settings/email.md index 6a7c01ff98b..6d2a3c2cdae 100644 --- a/doc/user/admin_area/settings/email.md +++ b/doc/user/admin_area/settings/email.md @@ -92,6 +92,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/external_authorization.md b/doc/user/admin_area/settings/external_authorization.md index 62d3d713616..a34ceac0d95 100644 --- a/doc/user/admin_area/settings/external_authorization.md +++ b/doc/user/admin_area/settings/external_authorization.md @@ -115,6 +115,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/files_api_rate_limits.md b/doc/user/admin_area/settings/files_api_rate_limits.md index e5f5064304c..ef9a3674c49 100644 --- a/doc/user/admin_area/settings/files_api_rate_limits.md +++ b/doc/user/admin_area/settings/files_api_rate_limits.md @@ -36,10 +36,10 @@ To override the general user and IP rate limits for requests to the Repository f 1. Select the checkboxes for the types of rate limits you want to enable: - **Unauthenticated API request rate limit** - **Authenticated API request rate limit** -1. _If you enabled unauthenticated API request rate limits:_ +1. If you selected **unauthenticated**: 1. Select the **Max unauthenticated API requests per period per IP**. 1. Select the **Unauthenticated API rate limit period in seconds**. -1. _If you enabled authenticated API request rate limits:_ +1. If you selected **authenticated**: 1. Select the **Max authenticated API requests per period per user**. 1. Select the **Authenticated API rate limit period in seconds**. diff --git a/doc/user/admin_area/settings/floc.md b/doc/user/admin_area/settings/floc.md index 08f3e8c09b2..f8137afa40f 100644 --- a/doc/user/admin_area/settings/floc.md +++ b/doc/user/admin_area/settings/floc.md @@ -36,6 +36,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/help_page.md b/doc/user/admin_area/settings/help_page.md index a4072f8680b..8d0fef398af 100644 --- a/doc/user/admin_area/settings/help_page.md +++ b/doc/user/admin_area/settings/help_page.md @@ -56,7 +56,7 @@ GitLab marketing-related entries are occasionally shown on the Help page. To hid You can specify a custom URL to which users are directed when they: -- Select **Support** from the Help dropdown. +- Select **Support** from the Help dropdown list. - Select **See our website for help** on the Help page. 1. On the top bar, select **Main menu > Admin**. @@ -106,6 +106,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/index.md b/doc/user/admin_area/settings/index.md index 1bdacf486a2..08c4a0d0167 100644 --- a/doc/user/admin_area/settings/index.md +++ b/doc/user/admin_area/settings/index.md @@ -109,8 +109,8 @@ The **Metrics and profiling** settings contain: Enable and configure Grafana. - [Profiling - Performance bar](../../../administration/monitoring/performance/performance_bar.md#enable-the-performance-bar-for-non-administrators) - Enable access to the Performance Bar for non-administrator users in a given group. -- [Self monitoring](../../../administration/monitoring/gitlab_self_monitoring_project/index.md#create-the-self-monitoring-project) - - Enable or disable instance self monitoring. +- [Self-monitoring](../../../administration/monitoring/gitlab_self_monitoring_project/index.md#create-the-self-monitoring-project) - + Enable or disable instance self-monitoring. - [Usage statistics](usage_statistics.md) - Enable or disable version check and Service Ping. ### Network diff --git a/doc/user/admin_area/settings/instance_template_repository.md b/doc/user/admin_area/settings/instance_template_repository.md index b74f4f68230..bf07c5b2808 100644 --- a/doc/user/admin_area/settings/instance_template_repository.md +++ b/doc/user/admin_area/settings/instance_template_repository.md @@ -28,7 +28,7 @@ To select a project to serve as the custom template repository: 1. Add custom templates to the selected repository. After you add templates, you can use them for the entire instance. -They are available in the [Web Editor's dropdown](../../project/repository/web_editor.md#template-dropdowns) +They are available in the [Web Editor's dropdown list](../../project/repository/web_editor.md#template-dropdowns) and through the [API settings](../../../api/settings.md). ## Supported file types and locations @@ -67,9 +67,9 @@ extension and not be empty. So, the hierarchy should look like this: |-- another_metrics-dashboard.yml ``` -Your custom templates are displayed on the dropdown menu when a new file is added through the GitLab UI: +Your custom templates are displayed on the dropdown list when a new file is added through the GitLab UI: - + If this feature is disabled or no templates are present, no **Custom** section displays in the selection dropdown. @@ -82,6 +82,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/package_registry_rate_limits.md b/doc/user/admin_area/settings/package_registry_rate_limits.md index 7e0c3482e3e..a5c5536f22d 100644 --- a/doc/user/admin_area/settings/package_registry_rate_limits.md +++ b/doc/user/admin_area/settings/package_registry_rate_limits.md @@ -1,6 +1,6 @@ --- stage: Package -group: Package +group: Package Registry info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments type: reference --- diff --git a/doc/user/admin_area/settings/sign_in_restrictions.md b/doc/user/admin_area/settings/sign_in_restrictions.md index 320768e6e5a..4ea420d7ca6 100644 --- a/doc/user/admin_area/settings/sign_in_restrictions.md +++ b/doc/user/admin_area/settings/sign_in_restrictions.md @@ -32,27 +32,70 @@ In the event of an external authentication provider outage, use the [GitLab Rail > [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/2158) in GitLab 13.10. -When this feature is enabled, instance administrators are limited as regular users. During that period, -they do not have access to all projects, groups, or the **Admin Area** menu. +If you are an administrator, you might want to work in GitLab without the access that +comes from being an administrator. While you could create a separate user account that +doesn't have administrator access, a more secure solution is to use *Admin Mode*. -To access potentially dangerous resources, an administrator can activate Admin Mode by: +With Admin Mode, your account does not have administrative access by default. +You can continue to access groups and projects you are a member of, but to access +administrative functionality, you must authenticate. -- Selecting the *Enable Admin Mode* button -- Trying to access any part of the UI that requires administrator access, specifically those which call `/admin` endpoints. +When Admin Mode is enabled, it applies to all administrators on the instance. -The main use case allows administrators to perform their regular tasks as a regular -user, based on their memberships, without having to set up a second account for -security reasons. +When Admin Mode is enabled for an instance, administrators: -When Admin Mode status is disabled, administrative users cannot access resources unless -they've been explicitly granted access. For example, when Admin Mode is disabled, they -get a `404` error if they try to open a private group or project, unless -they are members of that group or project. +- Are allowed to access group and projects for which they are members. +- Cannot access the **Admin Area**. -2FA should be enabled for administrators and is supported for the Admin Mode flow, as are -OmniAuth providers and LDAP auth. The Admin Mode status is stored in the active user -session and remains active until it is explicitly disabled (it will be disabled -automatically after a timeout otherwise). +### Enable Admin Mode for your instance + +Administrators can enable Admin Mode though the API, the Rails console, or the UI. + +#### Use the API to enable Admin Mode + +Make the following request to your instance endpoint: + +```shell +curl --request PUT --header "PRIVATE-TOKEN:$ADMIN_TOKEN" "<gitlab.example.com>/api/v4/application/settings?admin_mode=true" +``` + +Replace `<gitlab.example.com>` with your instance URL. + +For more information, see the [list of settings that can be accessed through API calls](../../../api/settings.md). + +#### Use the Rails console to enable Admin Mode + +Open the [Rails console](../../../administration/operations/rails_console.md) and run the following: + +```ruby +::Gitlab::CurrentSettings.update_attributes!(admin_mode: true) +``` + +#### Use the UI to enable Admin Mode + +To enable Admin Mode through the UI: + +1. On the top bar, select **Main menu > Admin**. +1. On the left sidebar, select **Settings > General**. +1. Expand **Sign-in restrictions**. +1. In the **Admin Mode** section, select the **Require additional authentication for administrative tasks** checkbox. + +### Turn on Admin Mode for your session + +To turn on Admin Mode for your current session and access potentially dangerous resources: + +1. On the top bar, select **Enable Admin Mode**. +1. Try to access any part of the UI with `/admin` in the URL (which requires administrator access). + +When Admin Mode status is disabled or turned off, administrators cannot access resources unless +they've been explicitly granted access. For example, administrators get a `404` error +if they try to open a private group or project, unless they are members of that group or project. + +2FA should be enabled for administrators. 2FA, OmniAuth providers, and LDAP +authentication are supported by Admin Mode. Admin Mode status is stored in the current user session and remains active until either: + +- It is explicitly disabled. +- It is disabled automatically after a timeout. ### Limitations of Admin Mode diff --git a/doc/user/admin_area/settings/sign_up_restrictions.md b/doc/user/admin_area/settings/sign_up_restrictions.md index 28fb188731b..76415596dce 100644 --- a/doc/user/admin_area/settings/sign_up_restrictions.md +++ b/doc/user/admin_area/settings/sign_up_restrictions.md @@ -115,7 +115,7 @@ create or update pipelines until their email address is confirmed. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20661) in GitLab 12.6 -You can [change](../../../security/password_length_limits.md#modify-minimum-password-length-using-gitlab-ui) +You can [change](../../../security/password_length_limits.md#modify-minimum-password-length) the minimum number of characters a user must have in their password using the GitLab UI. ### Password complexity requirements **(PREMIUM SELF)** @@ -198,6 +198,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/terms.md b/doc/user/admin_area/settings/terms.md index 28fe352c684..9a02e50b23f 100644 --- a/doc/user/admin_area/settings/terms.md +++ b/doc/user/admin_area/settings/terms.md @@ -43,6 +43,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/third_party_offers.md b/doc/user/admin_area/settings/third_party_offers.md index fbd282ed5ad..8d2ae72ba69 100644 --- a/doc/user/admin_area/settings/third_party_offers.md +++ b/doc/user/admin_area/settings/third_party_offers.md @@ -31,6 +31,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/usage_statistics.md b/doc/user/admin_area/settings/usage_statistics.md index fb027b462df..df60268a8bf 100644 --- a/doc/user/admin_area/settings/usage_statistics.md +++ b/doc/user/admin_area/settings/usage_statistics.md @@ -48,7 +48,7 @@ tier. Users can continue to access the features in a paid tier without sharing u ### Features available in 14.4 and later - [Repository size limit](../settings/account_and_limit_settings.md#repository-size-limit). -- [Group access restriction by IP address](../../group/access_and_permissions.md#restrict-group-access-by-ip-address). +- [Group access restriction by IP address](../../group/access_and_permissions.md#restrict-access-to-groups-by-ip-address). NOTE: Registration is not yet required for participation, but may be added in a future milestone. @@ -202,6 +202,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/user_and_ip_rate_limits.md b/doc/user/admin_area/settings/user_and_ip_rate_limits.md index 7431fc329d1..e285275f5bb 100644 --- a/doc/user/admin_area/settings/user_and_ip_rate_limits.md +++ b/doc/user/admin_area/settings/user_and_ip_rate_limits.md @@ -225,6 +225,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/visibility_and_access_controls.md b/doc/user/admin_area/settings/visibility_and_access_controls.md index d3132ae03c6..6d878bcb01c 100644 --- a/doc/user/admin_area/settings/visibility_and_access_controls.md +++ b/doc/user/admin_area/settings/visibility_and_access_controls.md @@ -45,7 +45,7 @@ By default both administrators and anyone with the **Owner** role can delete a p 1. Expand the **Visibility and access controls** section. 1. Scroll to: - (GitLab 15.1 and later) **Allowed to delete projects**, and select **Administrators**. - - (GitLab 15.0 and earlier) **Default project deletion projection** and select **Only admins can delete project**. + - (GitLab 15.0 and earlier) **Default project deletion protection** and select **Only admins can delete project**. 1. Select **Save changes**. ## Deletion protection **(PREMIUM SELF)** @@ -82,8 +82,8 @@ To configure delayed project deletion: 1. On the left sidebar, select **Settings > General**. 1. Expand the **Visibility and access controls** section. 1. Scroll to: - - (GitLab 15.1 and later) **Deletion projection** and select keep deleted groups and projects, and select a retention period. - - (GitLab 15.0 and earlier) **Default delayed project projection** and select **Enable delayed project deletion by + - (GitLab 15.1 and later) **Deletion protection** and select keep deleted groups and projects, and select a retention period. + - (GitLab 15.0 and earlier) **Default delayed project protection** and select **Enable delayed project deletion by default for newly-created groups.** Then set a retention period in **Default deletion delay**. 1. Select **Save changes**. @@ -262,7 +262,7 @@ These options specify the permitted types and lengths for SSH keys. To specify a restriction for each key type: -1. Select the desired option from the dropdown. +1. Select the desired option from the dropdown list. 1. Select **Save changes**. For more details, see [SSH key restrictions](../../../security/ssh_keys_restrictions.md). @@ -280,13 +280,13 @@ work in every repository. They can only be re-enabled by an administrator user o > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87579) in GitLab 15.1 [with a flag](../../../administration/feature_flags.md) named `group_ip_restrictions_allow_global`. Disabled by default. > - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/366445) in GitLab 15.4. [Feature flag `group_ip_restrictions_allow_global`](https://gitlab.com/gitlab-org/gitlab/-/issues/366445) removed. -This setting allows you to set IP address ranges to be combined with group-level IP allowlists. -It helps administrators prevent aspects of the GitLab installation from being blocked -from working as intended when an IP allowlist is used. +Administrators can set IP address ranges to be combined with [group-level IP restrictions](../../group/access_and_permissions.md#restrict-access-to-groups-by-ip-address). +Use globally-allowed IP addresses to allow aspects of the GitLab installation to work even when group-level IP address +restrictions are set. -For example, if the GitLab Pages daemon runs on the `10.0.0.0/24` range, specify that range in this -field, as otherwise any group-level restrictions that don't include that range cause the Pages -daemon to be unable to fetch artifacts from the pipeline runs. +For example, if the GitLab Pages daemon runs on the `10.0.0.0/24` range, you can specify that range as globally-allowed. +This means GitLab Pages can still fetch artifacts from pipelines even if group-level IP address restrictions don't +include the `10.0.0.0/24` range. To add a IP address range to the group-level allowlist: @@ -294,7 +294,11 @@ To add a IP address range to the group-level allowlist: 1. On the top bar, select **Main menu > Admin**. 1. On the left sidebar, select **Settings > General**. 1. Expand the **Visibility and access controls** section. -1. In **Globally-allowed IP ranges**, provide a value. +1. In **Globally-allowed IP ranges**, provide a list of IP address ranges. This list: + - Has no limit on the number of IP address ranges. + - Has a size limit of 1 GB. + - Applies to both SSH or HTTP authorized IP address ranges. You cannot split + this list by type of authorization. 1. Select **Save changes**. <!-- ## Troubleshooting @@ -305,6 +309,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> |