diff options
Diffstat (limited to 'doc/user/group')
| -rw-r--r-- | doc/user/group/access_and_permissions.md | 57 | ||||
| -rw-r--r-- | doc/user/group/clusters/index.md | 2 | ||||
| -rw-r--r-- | doc/user/group/compliance_frameworks.md | 8 | ||||
| -rw-r--r-- | doc/user/group/custom_project_templates.md | 6 | ||||
| -rw-r--r-- | doc/user/group/epics/linked_epics.md | 8 | ||||
| -rw-r--r-- | doc/user/group/epics/manage_epics.md | 26 | ||||
| -rw-r--r-- | doc/user/group/import/img/bulk_imports_v14_1.png | bin | 24726 -> 0 bytes | |||
| -rw-r--r-- | doc/user/group/import/index.md | 64 | ||||
| -rw-r--r-- | doc/user/group/index.md | 4 | ||||
| -rw-r--r-- | doc/user/group/manage.md | 4 | ||||
| -rw-r--r-- | doc/user/group/reporting/git_abuse_rate_limit.md | 8 | ||||
| -rw-r--r-- | doc/user/group/saml_sso/group_sync.md | 39 | ||||
| -rw-r--r-- | doc/user/group/saml_sso/index.md | 8 | ||||
| -rw-r--r-- | doc/user/group/saml_sso/scim_setup.md | 4 | ||||
| -rw-r--r-- | doc/user/group/saml_sso/troubleshooting.md | 18 | ||||
| -rw-r--r-- | doc/user/group/saml_sso/troubleshooting_scim.md | 2 | ||||
| -rw-r--r-- | doc/user/group/subgroups/index.md | 25 | ||||
| -rw-r--r-- | doc/user/group/value_stream_analytics/index.md | 4 |
18 files changed, 182 insertions, 105 deletions
diff --git a/doc/user/group/access_and_permissions.md b/doc/user/group/access_and_permissions.md index a7358db54df..4629f33f088 100644 --- a/doc/user/group/access_and_permissions.md +++ b/doc/user/group/access_and_permissions.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Workspace +group: Organization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments --- @@ -56,7 +56,7 @@ To change the permitted Git access protocols for a group: 1. Choose the permitted protocols from **Enabled Git access protocols**. 1. Select **Save changes**. -## Restrict access to groups by IP address **(PREMIUM)** +## Restrict group access by IP address **(PREMIUM)** > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/1985) in GitLab 12.0. > - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/215410) from GitLab Ultimate to GitLab Premium in 13.1. @@ -66,16 +66,32 @@ address. This group-level setting applies to: - The GitLab UI, including subgroups, projects, and issues. - [In GitLab 12.3 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/12874), the API. +- In self-managed installations of GitLab 15.1 and later, you can also configure +[globally-allowed IP address ranges](../admin_area/settings/visibility_and_access_controls.md#configure-globally-allowed-ip-address-ranges) +at the group level. Administrators can combine restricted access by IP address with [globally-allowed IP addresses](../admin_area/settings/visibility_and_access_controls.md#configure-globally-allowed-ip-address-ranges). +To restrict group access by IP address: + +1. On the top bar, select **Main menu > Groups** and find your group. +1. On the left sidebar, select **Settings > General**. +1. Expand the **Permissions and group features** section. +1. In the **Restrict access by IP address** text box, enter a list of IPv4 or IPv6 + address ranges in CIDR notation. This list: + - Has no limit on the number of IP address ranges. + - Has a size limit of 1 GB. + - Applies to both SSH or HTTP authorized IP address ranges. You cannot split + this list by type of authorization. +1. Select **Save changes**. + ### Security implications -You should consider some security implications before configuring IP address restrictions. +Keep in mind that restricting group access by IP address has the following implications: - Administrators and group owners can access group settings from any IP address, regardless of IP restriction. However: - - Groups owners cannot access projects belonging to the group when accessing from a disallowed IP address. + - Group owners can access the subgroups, but not the projects belonging to the group or subgroups, when accessing from a disallowed IP address. - Administrators can access projects belonging to the group when accessing from a disallowed IP address. Access to projects includes cloning code from them. - Users can still see group and project names and hierarchies. Only the following are restricted: @@ -84,30 +100,11 @@ You should consider some security implications before configuring IP address res - When you register a runner, it is not bound by the IP restrictions. When the runner requests a new job or an update to a job's state, it is also not bound by the IP restrictions. But when the running CI/CD job sends Git requests from a restricted IP address, the IP restriction prevents code from being cloned. -- Users may still see some events from the IP restricted groups and projects on their dashboard. Activity may include +- Users might still see some events from the IP-restricted groups and projects on their dashboard. Activity might include push, merge, issue, or comment events. - IP access restrictions for Git operations via SSH are supported only on GitLab SaaS. IP access restrictions applied to self-managed instances block SSH completely. -### Restrict group access by IP address - -To restrict group access by IP address: - -1. On the top bar, select **Main menu > Groups** and find your group. -1. On the left sidebar, select **Settings > General**. -1. Expand the **Permissions and group features** section. -1. In the **Restrict access by IP address** field, enter a list of IPv4 or IPv6 - address ranges in CIDR notation. This list: - - Has no limit on the number of IP address ranges. - - Has a size limit of 1 GB. - - Applies to both SSH or HTTP authorized IP address ranges. You cannot split - this list by type of authorization. -1. Select **Save changes**. - -In self-managed installations of GitLab 15.1 and later, you can also configure -[globally-allowed IP address ranges](../admin_area/settings/visibility_and_access_controls.md#configure-globally-allowed-ip-address-ranges) -at the group level. - ## Restrict group access by domain **(PREMIUM)** > - Support for specifying multiple email domains [added](https://gitlab.com/gitlab-org/gitlab/-/issues/33143) in GitLab 13.1. @@ -170,11 +167,13 @@ To prevent sharing outside of the group's hierarchy: ## Prevent a project from being shared with groups -Prevent projects in a group from -[sharing a project with another group](../project/members/share_project_with_groups.md) -to enable tighter control over project access. +[Sharing a project with another group](../project/members/share_project_with_groups.md) +increases the number of users who can invite yet more members to the project. +Each (sub)group can be an additional source of access permissions, +which can be confusing and difficult to control. -To prevent a project from being shared with other groups: +To restrict the permission to invite project members to a single source, +prevent a project from being shared with other groups: 1. On the top bar, select **Main menu > Groups** and find your group. 1. On the left sidebar, select **Settings > General**. @@ -302,4 +301,4 @@ If a user sees a 404 when they would normally expect access, and the problem is - `json.message`: `'Attempting to access IP restricted group'` - `json.allowed`: `false` -In viewing the log entries, compare the `remote.ip` with the list of [allowed IP addresses](#restrict-access-to-groups-by-ip-address) for the group. +In viewing the log entries, compare `remote.ip` with the list of [allowed IP addresses](#restrict-group-access-by-ip-address) for the group. diff --git a/doc/user/group/clusters/index.md b/doc/user/group/clusters/index.md index 62f5a3ba54f..cb760217487 100644 --- a/doc/user/group/clusters/index.md +++ b/doc/user/group/clusters/index.md @@ -111,7 +111,7 @@ The domain should have a wildcard DNS configured to the Ingress IP address. [Mor When adding more than one Kubernetes cluster to your project, you need to differentiate them with an environment scope. The environment scope associates clusters with [environments](../../../ci/environments/index.md) similar to how the -[environment-specific CI/CD variables](../../../ci/variables/index.md#limit-the-environment-scope-of-a-cicd-variable) +[environment-specific CI/CD variables](../../../ci/environments/index.md#limit-the-environment-scope-of-a-cicd-variable) work. While evaluating which environment matches the environment scope of a diff --git a/doc/user/group/compliance_frameworks.md b/doc/user/group/compliance_frameworks.md index 0e976cec866..9f40f9e84bf 100644 --- a/doc/user/group/compliance_frameworks.md +++ b/doc/user/group/compliance_frameworks.md @@ -25,9 +25,9 @@ Group owners can create, edit, and delete compliance frameworks: > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/375036) in GitLab 15.6. -Group owners can set a default compliance framework. The default framework is applied to all the new projects -that are created within that group. It does not affect the framework applied to the existing projects. The default -framework cannot be deleted. +Group owners can set a default compliance framework. The default framework is applied to all the new and imported +projects that are created within that group. It does not affect the framework applied to the existing projects. The +default framework cannot be deleted. A compliance framework that is set to default has a **default** label. @@ -237,7 +237,7 @@ can be configured to be: Generally, if a value in a compliance job: - Is set, it cannot be changed or overridden by project-level configurations. -- Is not set, a project-level configuration may set. +- Is not set, a project-level configuration may be set. Either might be wanted or not depending on your use case. diff --git a/doc/user/group/custom_project_templates.md b/doc/user/group/custom_project_templates.md index 547e64df7c5..2716db27037 100644 --- a/doc/user/group/custom_project_templates.md +++ b/doc/user/group/custom_project_templates.md @@ -9,12 +9,12 @@ info: To determine the technical writer assigned to the Stage/Group associated w > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/6861) in GitLab 11.6. -When you create a project, you can [choose from a list of templates](../project/working_with_projects.md#create-a-project). +When you create a project, you can [choose from a list of templates](../project/index.md#create-a-project). These templates, for things like GitLab Pages or Ruby, populate the new project with a copy of the files contained in the template. This information is identical to the information used by [GitLab project import/export](../project/settings/import_export.md) and can help you start a new project more quickly. -You can [customize the list](../project/working_with_projects.md#create-a-project) of available templates, so +You can [customize the list](../project/index.md#create-a-project) of available templates, so that all projects in your group have the same list. To do this, you populate a subgroup with the projects you want to use as templates. @@ -40,7 +40,7 @@ Projects in nested subgroups are not included in the template list. ## Which projects are available as templates -- Public and internal projects can be selected by any signed-in user as a template for a new project, +- Public and internal projects can be selected by any authenticated user as a template for a new project, if all [project features](../project/settings/index.md#configure-project-visibility-features-and-permissions) except for **GitLab Pages** and **Security & Compliance** are set to **Everyone With Access**. - Private projects can be selected only by users who are members of the projects. diff --git a/doc/user/group/epics/linked_epics.md b/doc/user/group/epics/linked_epics.md index 4049ac2e9a1..63bf1a4471c 100644 --- a/doc/user/group/epics/linked_epics.md +++ b/doc/user/group/epics/linked_epics.md @@ -20,9 +20,11 @@ To manage linked epics through our API, visit the [epic links API documentation] ## Add a linked epic +> Minimum required role for the group [changed](https://gitlab.com/gitlab-org/gitlab/-/issues/381308) from Reporter to Guest in GitLab 15.8. + Prerequisites: -- You must have at least the Reporter role for both groups. +- You must have at least the Guest role for both groups. - For GitLab SaaS: the epic that you're editing must be in a group on GitLab Ultimate. The epics you're linking can be in a group on a lower tier. @@ -59,9 +61,11 @@ The linked epics are then displayed on the epic grouped by relationship. ## Remove a linked epic +> Minimum required role for the group [changed](https://gitlab.com/gitlab-org/gitlab/-/issues/381308) from Reporter to Guest in GitLab 15.8. + Prerequisites: -- You must have at least the Reporter role for the epic's group. +- You must have at least the Guest role for the epic's group. To remove a linked epic, in the **Linked epics** section of an epic, select **Remove** (**{close}**) next to diff --git a/doc/user/group/epics/manage_epics.md b/doc/user/group/epics/manage_epics.md index 8e7b6fd82ad..fa8f96952b3 100644 --- a/doc/user/group/epics/manage_epics.md +++ b/doc/user/group/epics/manage_epics.md @@ -341,6 +341,8 @@ automatically added to the epic. #### Add an existing issue to an epic +> Minimum required role for the project [changed](https://gitlab.com/gitlab-org/gitlab/-/issues/382506) from Reporter to Guest in GitLab 15.8. + You can add existing issues to an epic, including issues in a project from a [different group hierarchy](index.md#child-issues-from-different-group-hierarchies). Newly added issues appear at the top of the list of issues in the **Epics and Issues** tab. @@ -350,8 +352,7 @@ current parent. Prerequisites: -- You must be able to [view the epic](#who-can-view-an-epic). -- You must be able to [edit the issue](../../project/issues/managing_issues.md#edit-an-issue). +- You must have at least the Guest role for the issue's project and the epic's group. To add an existing issue to an epic: @@ -368,13 +369,14 @@ To add an existing issue to an epic: #### Create an issue from an epic +> Minimum required role for the project [changed](https://gitlab.com/gitlab-org/gitlab/-/issues/382506) from Reporter to Guest in GitLab 15.8. + Creating an issue from an epic enables you to maintain focus on the broader context of the epic while dividing work into smaller parts. Prerequisites: -- You must be able to [view the epic](#who-can-view-an-epic). -- You must have at least the Reporter role for the project. +- You must have at least the Guest role for the issue's project and the epic's group. To create an issue from an epic: @@ -388,13 +390,14 @@ The new issue is assigned to the epic. ### Remove an issue from an epic +> Minimum required role for the project [changed](https://gitlab.com/gitlab-org/gitlab/-/issues/382506) from Reporter to Guest in GitLab 15.8. + You can remove issues from an epic when you're on the epic's details page. After you remove an issue from an epic, the issue is no longer associated with this epic. Prerequisites: -- You must have at least the Reporter role for the epic's group. -- You must be able to [edit the issue](../../project/issues/managing_issues.md#edit-an-issue). +- You must have at least the Guest role for the issue's project and the epic's group. To remove an issue from an epic: @@ -406,14 +409,15 @@ To remove an issue from an epic: ### Reorder issues assigned to an epic -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9367) in GitLab 12.5. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9367) in GitLab 12.5. +> - Minimum required role for the project [changed](https://gitlab.com/gitlab-org/gitlab/-/issues/382506) from Reporter to Guest in GitLab 15.8. New issues appear at the top of the list in the **Epics and Issues** tab. You can reorder the list of issues by dragging them. Prerequisites: -- You must have at least the Reporter role for the epic's group. +- You must have at least the Guest role for the issue's project and the epic's group. To reorder issues assigned to an epic: @@ -422,15 +426,15 @@ To reorder issues assigned to an epic: ### Move issues between epics **(ULTIMATE)** -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/33039) in GitLab 13.0. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/33039) in GitLab 13.0. +> - Minimum required role for the project [changed](https://gitlab.com/gitlab-org/gitlab/-/issues/382506) from Reporter to Guest in GitLab 15.8. New issues appear at the top of the list in the **Epics and Issues** tab. You can move issues from one epic to another. Prerequisites: -- You must have at least the Reporter role for the epic's group. -- You must be able to [edit the issue](../../project/issues/managing_issues.md#edit-an-issue). +- You must have at least the Guest role for the issue's project and the epic's group. To move an issue to another epic: diff --git a/doc/user/group/import/img/bulk_imports_v14_1.png b/doc/user/group/import/img/bulk_imports_v14_1.png Binary files differdeleted file mode 100644 index fb419c1df6c..00000000000 --- a/doc/user/group/import/img/bulk_imports_v14_1.png +++ /dev/null diff --git a/doc/user/group/import/index.md b/doc/user/group/import/index.md index 9a671ff6679..c264b5ceaf8 100644 --- a/doc/user/group/import/index.md +++ b/doc/user/group/import/index.md @@ -26,20 +26,16 @@ If you migrate from GitLab.com to self-managed GitLab, an administrator can crea > - Group items [enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/338985) in GitLab 14.3. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/267945) in GitLab 14.4 for project resources [with a flag](../../feature_flags.md) named `bulk_import_projects`. Disabled by default. > - [Enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/339941) in GitLab 15.6. +> - New application setting `bulk_import_enabled` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/383268) in GitLab 15.8. `bulk_import` feature flag removed. FLAG: -On self-managed GitLab, by default [migrating group items](#migrated-group-items) is available. To hide the -feature, ask an administrator to [disable the feature flag](../../../administration/feature_flags.md) named `bulk_import`. -On self-managed GitLab, by default [migrating project items](#migrated-project-items) is not available. To show +On self-managed GitLab, by default [migrating group items](#migrated-group-items) is not available. To show the +feature, ask an administrator to [enable it in application settings](../../admin_area/settings/visibility_and_access_controls.md#enable-migration-of-groups-and-projects-by-direct-transfer). +Also on self-managed GitLab, by default [migrating project items](#migrated-project-items-beta) is not available. To show this feature, ask an administrator to [enable the feature flag](../../../administration/feature_flags.md) named -`bulk_import_projects`. On GitLab.com, migration of both groups and projects is available. +`bulk_import_projects`. The feature is not ready for production use. On GitLab.com, migration of both groups and projects is available. -Prerequisites: - -- Network connection between instances or GitLab.com. Must support HTTPS. -- Owner role on the top-level group to migrate. - -You can import top-level groups to: +You can migrate top-level groups to: - Another top-level group. - The subgroup of any existing top-level group. @@ -47,15 +43,34 @@ You can import top-level groups to: You can migrate: -- By direct transfer using either the UI or the [API](../../../api/bulk_imports.md). +- By direct transfer through either the UI or the [API](../../../api/bulk_imports.md). - Many groups at once. +- With projects (in [Beta](../../../policy/alpha-beta-support.md#beta-features) and not ready for production use) or + without projects. -When migrating a top-level group to GitLab.com, all its subgroups and projects are migrated too. +When you migrate a group by direct transfer, you can also migrate subgroups and projects. When you migrate a group: + +- To GitLab.com, all its subgroups and projects are migrated too. +- To a self-managed instance, migrating project items is not available by default. An administrator must + [enable the feature flag](../../../administration/feature_flags.md) named `bulk_import_projects`. + +WARNING: +Migrating subgroups and projects this way is in [Beta](../../../policy/alpha-beta-support.md#beta-features) and is not +ready for production use. Not all group and project resources are imported. See list of migrated resources below: - [Migrated group items](#migrated-group-items). -- [Migrated project items](#migrated-project-items). +- [Migrated project items](#migrated-project-items-beta). + +Prerequisites: + +- Network connection between instances or GitLab.com. Must support HTTPS. +- Both GitLab instances have [migration enabled in application settings](../../admin_area/settings/visibility_and_access_controls.md#enable-migration-of-groups-and-projects-by-direct-transfer) + by an instance administrator. +- Owner role on the top-level source group to migrate from. +- At least the Maintainer role on the destination group to migrate to. Using the Developer role for this purpose was + [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/387891) in GitLab 15.8 and will be removed in GitLab 16.0. ### Preparation @@ -94,16 +109,19 @@ Create the group you want to import to and connect the source: ### Select the groups to import +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/385689) in GitLab 15.8, option to import groups with or without projects. + After you have authorized access to the source GitLab instance, you are redirected to the GitLab group importer page. The top-level groups on the connected source instance you have the Owner role for are listed. 1. By default, the proposed group namespaces match the names as they exist in source instance, but based on your permissions, you can choose to edit these names before you proceed to import any of them. -1. Next to the groups you want to import, select **Import**. +1. Next to the groups you want to import, select either: + - **Import with projects**. Importing groups with projects is in [Beta](../../../policy/alpha-beta-support.md#beta-features). This feature is not ready for production use. + - **Import without projects**. + - **Import** on self-managed GitLab, when the `bulk_import_projects` feature flag is disabled and the feature is not available. 1. The **Status** column shows the import status of each group. If you leave the page open, it updates in real-time. 1. After a group has been imported, select its GitLab path to open its GitLab URL. - - ### Group import history You can view all groups migrated by you by direct transfer listed on the group import history page. This list includes: @@ -155,19 +173,25 @@ Group items that are migrated to the target instance include: Any other items are **not** migrated. -### Migrated project items +### Migrated project items (beta) > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/267945) in GitLab 14.4 [with a flag](../../feature_flags.md) named `bulk_import_projects`. Disabled by default. > - [Enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/339941) in GitLab 15.6. FLAG: -On self-managed GitLab, migrating project resources when migrating groups is not available by default. To make it available ask an administrator to [enable the feature flag](../../../administration/feature_flags.md) named `bulk_import_projects`. On GitLab.com, groups are migrated with all their projects by default. +On self-managed GitLab, migrating project resources when migrating groups is not available by default. +To make it available ask an administrator to [enable the feature flag](../../../administration/feature_flags.md) named +`bulk_import_projects`. On GitLab.com, groups are migrated with all their projects by default. The [`import_export.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/import_export/project/import_export.yml) file for projects lists many of the items imported when migrating projects using group migration. View this file in the branch for your version of GitLab to see the list of items relevant to you. For example, [`import_export.yml` on the `14-10-stable-ee` branch](https://gitlab.com/gitlab-org/gitlab/-/blob/14-10-stable-ee/lib/gitlab/import_export/project/import_export.yml). +WARNING: +Migrating projects when migrating groups by direct transfer is in [Beta](../../../policy/alpha-beta-support.md#beta-features) +and is not ready for production use. + Project items that are migrated to the target instance include: - Projects ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/267945) in GitLab 14.4) @@ -390,7 +414,7 @@ You can also export a group [using the API](../../../api/group_import_export.md) 1. Create a new group: - On the top bar, select **Create new…** (**{plus-square}**) and then **New group**. - - On an existing group's page, select the **New subgroup** button. + - On an existing group's page, select **New subgroup**. 1. Select **Import group**. 1. Enter your group name. 1. Accept or modify the associated group URL. @@ -405,7 +429,7 @@ The maximum import file size can be set by the administrator, default is `0` (un As an administrator, you can modify the maximum import file size. To do so, use the `max_import_size` option in the [Application settings API](../../../api/settings.md#change-application-settings) or the [Admin Area](../../admin_area/settings/account_and_limit_settings.md). -Default [modified](https://gitlab.com/gitlab-org/gitlab/-/issues/251106) from 50MB to 0 in GitLab 13.8. +Default [modified](https://gitlab.com/gitlab-org/gitlab/-/issues/251106) from 50 MB to 0 in GitLab 13.8. ### Rate limits diff --git a/doc/user/group/index.md b/doc/user/group/index.md index 62659938d91..db01358d899 100644 --- a/doc/user/group/index.md +++ b/doc/user/group/index.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Workspace +group: Organization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments --- @@ -25,7 +25,7 @@ For more information about creating and managing your groups, see [Manage groups Like projects, a group can be configured to limit the visibility of it to: - Anonymous users. -- All signed-in users. +- All authenticated users. - Only explicit group members. The restriction for [visibility levels](../admin_area/settings/visibility_and_access_controls.md#restrict-visibility-levels) diff --git a/doc/user/group/manage.md b/doc/user/group/manage.md index 414b80d0f1d..a755447c47c 100644 --- a/doc/user/group/manage.md +++ b/doc/user/group/manage.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Workspace +group: Organization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments --- @@ -213,7 +213,7 @@ To avoid this problem, GitLab administrators can [ensure removed users cannot in There are two different ways to add a new project to a group: -- Select a group, and then select **New project**. You can then continue [creating your project](../../user/project/working_with_projects.md#create-a-project). +- Select a group, and then select **New project**. You can then continue [creating your project](../../user/project/index.md#create-a-project). - While you are creating a project, select a group from the dropdown list.  diff --git a/doc/user/group/reporting/git_abuse_rate_limit.md b/doc/user/group/reporting/git_abuse_rate_limit.md index 1cf3a9dbe7d..a5515079294 100644 --- a/doc/user/group/reporting/git_abuse_rate_limit.md +++ b/doc/user/group/reporting/git_abuse_rate_limit.md @@ -4,12 +4,12 @@ group: Anti-Abuse info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments --- -# Git abuse rate limit **(ULTIMATE SELF)** +# Git abuse rate limit **(ULTIMATE)** > [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/8066) in GitLab 15.2 [with a flag](../../../administration/feature_flags.md) named `limit_unique_project_downloads_per_namespace_user`. Disabled by default. FLAG: -On self-managed GitLab, by default this feature is not available. To make it available, ask an administrator to [enable the feature flag](../../../administration/feature_flags.md) named `limit_unique_project_downloads_per_namespace_user`. On GitLab.com, this feature is not available. +On self-managed GitLab, by default this feature is not available. To make it available, ask an administrator to [enable the feature flag](../../../administration/feature_flags.md) named `limit_unique_project_downloads_per_namespace_user`. On GitLab.com, this feature is available. Git abuse rate limiting is a feature to automatically ban users who download or clone more than a specified number of repositories in a group or any of its subgroups within a given time frame. Banned users cannot access the main group or any of its non-public subgroups via HTTP or SSH. Access to unrelated groups is unaffected. @@ -31,6 +31,10 @@ If automatic banning is enabled, users with the Owner role for the main group re ## Unban a user +Prerequisites: + +- You must have the Owner role. + 1. On the left sidebar, select **Group information > Members**. 1. Select the **Banned** tab. 1. For the account you want to unban, select **Unban**. diff --git a/doc/user/group/saml_sso/group_sync.md b/doc/user/group/saml_sso/group_sync.md index 80d145fc6bb..65c4d68f743 100644 --- a/doc/user/group/saml_sso/group_sync.md +++ b/doc/user/group/saml_sso/group_sync.md @@ -27,19 +27,40 @@ You must include the SAML configuration block on all Sidekiq nodes in addition t - Use SAML Group Sync. - Have multiple GitLab nodes, for example in a distributed or highly available architecture. +NOTE: +SAML Group Sync is only supported for the [SAML provider named `saml`](../../../integration/saml.md#configure-gitlab-to-use-multiple-saml-idps). +As a result, SAML Group Sync only supports a single SAML provider. For more information, see [issue 386605](https://gitlab.com/gitlab-org/gitlab/-/issues/386605). + WARNING: To prevent users being accidentally removed from the GitLab group, follow these instructions closely before enabling Group Sync in GitLab. -To configure SAML Group Sync: - -1. Configure the identity Provider: - - For self-managed GitLab, see the [SAML OmniAuth Provider documentation](../../../integration/saml.md). - - For GitLab.com, see the [SAML SSO for GitLab.com groups documentation](index.md). - -1. Capture [a SAML response](troubleshooting.md#saml-debugging-tools) during the sign-in process to confirm your SAML identity provider sends an attribute statement: - - For self-managed GitLab, with the same name as the value of the `groups_attribute` setting. - - For GitLab.com, named `Groups` or `groups`. +To configure SAML Group Sync for self-managed GitLab instances: + +1. Configure the [SAML OmniAuth Provider](../../../integration/saml.md). +1. Ensure your SAML identity provider sends an attribute statement with the same name as the value of the `groups_attribute` setting. See the following attribute statement example for reference: + + ```ruby + gitlab_rails['omniauth_providers'] = [ + { + name: "saml", + label: "Provider name", # optional label for login button, defaults to "Saml", + groups_attribute: 'Groups', + args: { + assertion_consumer_service_url: "https://gitlab.example.com/users/auth/saml/callback", + idp_cert_fingerprint: "43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8", + idp_sso_target_url: "https://login.example.com/idp", + issuer: "https://gitlab.example.com", + name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" + } + } + ] + ``` + +To configure SAML Group Sync for GitLab.com instances: + +1. See [SAML SSO for GitLab.com groups](index.md). +1. Ensure your SAML identity provider sends an attribute statement named `Groups` or `groups`. NOTE: The value for `Groups` or `groups` in the SAML response may be either the group name or an ID. diff --git a/doc/user/group/saml_sso/index.md b/doc/user/group/saml_sso/index.md index bd10560e138..1275e3a21e4 100644 --- a/doc/user/group/saml_sso/index.md +++ b/doc/user/group/saml_sso/index.md @@ -157,7 +157,7 @@ When the transparent SSO enforcement feature flag is enabled, SSO is enforced as | Public | Off | Enforced | Not enforced | Not enforced | | Public | On | Enforced | Enforced | Not enforced | -An [issue exists](https://gitlab.com/gitlab-org/gitlab/-/issues/297389) to add a similar SSO requirement for API activity. +An [issue exists](https://gitlab.com/gitlab-org/gitlab/-/issues/297389) to add a similar SSO requirement for API and GitLab Pages activities. SSO enforcement has the following effects when enabled: @@ -370,7 +370,11 @@ On subsequent visits, you should be able to go [sign in to GitLab.com with SAML] ### Change NameID for one or more users -If the NameID changes for one or more users, they need to reconnect their SAML account. +> Update of SAML identities using the SAML API [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/227841) in GitLab 15.5. + +Group owners can update the SAML identities for their group members using the [SAML API](../../../api/saml.md). + +Alternatively, ask the users to reconnect their SAML account. 1. Ask relevant users to [unlink their account from the group](#unlinking-accounts). 1. Ask relevant users to [link their account to the new SAML app](#linking-saml-to-your-existing-gitlabcom-account). diff --git a/doc/user/group/saml_sso/scim_setup.md b/doc/user/group/saml_sso/scim_setup.md index 18af39f4271..8c30c246566 100644 --- a/doc/user/group/saml_sso/scim_setup.md +++ b/doc/user/group/saml_sso/scim_setup.md @@ -15,7 +15,7 @@ GitLab SAML SSO SCIM doesn't support updating users. When SCIM is enabled for a GitLab group, membership of that group is synchronized between GitLab and an identity provider. -The [internal GitLab SCIM API](../../../development/internal_api/index.md#scim-api) implements part of [the RFC7644 protocol](https://www.rfc-editor.org/rfc/rfc7644). +The [internal GitLab group SCIM API](../../../development/internal_api/index.md#group-scim-api) implements part of [the RFC7644 protocol](https://www.rfc-editor.org/rfc/rfc7644). ## Configure GitLab @@ -121,7 +121,7 @@ attributes and modify them accordingly. In particular, the `objectId` source att target attribute. If a mapping is not listed in the table, use the Azure Active Directory defaults. For a list of required attributes, -refer to the [internal SCIM API](../../../development/internal_api/index.md#scim-api) documentation. +refer to the [internal group SCIM API](../../../development/internal_api/index.md#group-scim-api) documentation. ### Configure Okta diff --git a/doc/user/group/saml_sso/troubleshooting.md b/doc/user/group/saml_sso/troubleshooting.md index f8075e62ecc..a42d3f8fd03 100644 --- a/doc/user/group/saml_sso/troubleshooting.md +++ b/doc/user/group/saml_sso/troubleshooting.md @@ -52,7 +52,7 @@ You can use one of the following to troubleshoot SAML: - A [quick start guide to start a Docker container](../../../administration/troubleshooting/test_environments.md#saml) with a plug and play SAML 2.0 identity provider if you only require a SAML provider. - A local environment by - [enabling SAML for groups on a self-managed instance](../../../integration/saml.md#group-saml-on-a-self-managed-gitlab-instance). + [enabling SAML for groups on a self-managed instance](../../../integration/saml.md#configure-group-saml-sso-on-a-self-managed-instance). ## Verify configuration @@ -233,6 +233,13 @@ If you receive a `404` during setup when using "verify configuration", make sure If a user is trying to sign in for the first time and the GitLab single sign-on URL has not [been configured](index.md#configure-your-identity-provider), they may see a 404. As outlined in the [user access section](index.md#linking-saml-to-your-existing-gitlabcom-account), a group Owner needs to provide the URL to users. +If all users are receiving a `404` after signing in to the identity provider (IdP), verify the `assertion_consumer_service_url`: + +- In the GitLab configuration by [matching it to the HTTPS endpoint of GitLab](../../../integration/saml.md#configure-saml-support-in-gitlab). +- As the `Assertion Consumer Service URL` or equivalent when setting up the SAML app on your IdP. + +For configuration examples for some of the common providers, see the [example group SAML and SCIM configurations](example_saml_config.md). + ### 500 error after login **(FREE SELF)** If you see a "500 error" in GitLab when you are redirected back from the SAML @@ -281,3 +288,12 @@ this means: A GitLab group Owner can use the [SAML API](../../../api/saml.md) to update the user's SAML `extern_uid`. The `extern_uid` value must match the Name ID value sent by the SAML identity provider (IdP). Depending on the IdP configuration this may be a generated unique ID, an email address, or other value. + +## Message: "The member's email address is not linked to a SAML account" **(PREMIUM SAAS)** + +This error appears when you try to invite a user to a GitLab.com group (or subgroup or project within a group) that has [SAML SSO enforcement](index.md#sso-enforcement) enabled. + +If you see this message after trying to invite a user to a group: + +1. Ensure the user has been [added to the SAML identity provider](index.md#user-access-and-management). +1. Ask the user to [link SAML to their existing GitLab.com account](index.md#linking-saml-to-your-existing-gitlabcom-account), if they have one. Otherwise, ask the user to create a GitLab.com account by [accessing GitLab.com through the identity provider's dashboard](index.md#user-access-and-management), or by [signing up manually](https://gitlab.com/users/sign_up) and linking SAML to their new account. diff --git a/doc/user/group/saml_sso/troubleshooting_scim.md b/doc/user/group/saml_sso/troubleshooting_scim.md index 22562c51e9e..939ed804a99 100644 --- a/doc/user/group/saml_sso/troubleshooting_scim.md +++ b/doc/user/group/saml_sso/troubleshooting_scim.md @@ -100,7 +100,7 @@ Changing the SAML or SCIM configuration or provider can cause the following prob GitLab.com administrators can search for SCIM requests in the `api_json.log` using the `pubsub-rails-inf-gprd-*` index in [Kibana](https://about.gitlab.com/handbook/support/workflows/kibana.html#using-kibana). Use the following filters based -on the internal [SCIM API](../../../development/internal_api/index.md#scim-api): +on the internal [group SCIM API](../../../development/internal_api/index.md#group-scim-api): - `json.path`: `/scim/v2/groups/<group-path>` - `json.params.value`: `<externalId>` diff --git a/doc/user/group/subgroups/index.md b/doc/user/group/subgroups/index.md index 95c8e60af5d..f8d3456648d 100644 --- a/doc/user/group/subgroups/index.md +++ b/doc/user/group/subgroups/index.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Workspace +group: Organization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments --- @@ -66,16 +66,16 @@ In the hierarchy list, public groups with a private subgroup have an expand opti for all users that indicate there is a subgroup. When users who are not direct or inherited members of the private subgroup select expand (**{chevron-down}**), the nested subgroup does not display. -If you prefer to keep information about the presence of nested subgroups private, we advise that you only -add private subgroups to private parent groups. +If you prefer to keep information about the presence of nested subgroups private, we advise that you +add private subgroups only to private parent groups. ## Create a subgroup Prerequisites: -- You must either: - - Have at least the Maintainer role for a group to create subgroups for it. - - Have the [role determined by a setting](#change-who-can-create-subgroups). These users can create +- You must have either: + - At least the Maintainer role for a group to create subgroups for it. + - The [role determined by a setting](#change-who-can-create-subgroups). These users can create subgroups even if group creation is [disabled by an Administrator](../../admin_area/index.md#prevent-a-user-from-creating-groups) in the user's settings. @@ -92,8 +92,9 @@ To create a subgroup: ### Change who can create subgroups -To create a subgroup, you must have at least the Maintainer role on the group, depending on the group's setting. By -default: +Prerequisite: + +- You must have at least the Maintainer role on the group, depending on the group's setting. To change who can create subgroups on a group: @@ -120,11 +121,11 @@ There is a bug that causes some pages in the parent group to be accessible by su When you add a member to a group, that member is also added to all subgroups. The user's permissions are inherited from the group's parent. -Subgroup members can: +Subgroup members can be: -1. Be [direct members](../../project/members/index.md#add-users-to-a-project) of the subgroup. -1. [Inherit membership](../../project/members/index.md#inherited-membership) of the subgroup from the subgroup's parent group. -1. Be a member of a group that was [shared with the subgroup's top-level group](../manage.md#share-a-group-with-another-group). +1. [Direct members](../../project/members/index.md#add-users-to-a-project) of the subgroup. +1. [Inherited members](../../project/members/index.md#inherited-membership) of the subgroup from the subgroup's parent group. +1. Members of a group that was [shared with the subgroup's top-level group](../manage.md#share-a-group-with-another-group). ```mermaid flowchart RL diff --git a/doc/user/group/value_stream_analytics/index.md b/doc/user/group/value_stream_analytics/index.md index 1c02ca59e3d..8635b4567ef 100644 --- a/doc/user/group/value_stream_analytics/index.md +++ b/doc/user/group/value_stream_analytics/index.md @@ -119,10 +119,10 @@ In GitLab 13.9 and later, deployment frequency metrics are calculated based on w In GitLab 13.8 and earlier, deployment frequency metrics are calculated based on when the deployment was created. <div class="video-fallback"> - See the video: <a href="https://www.youtube.com/embed/wQU-mWvNSiI">DORA metrics and value stream analytics</a>. + See the video: <a href="https://www.youtube.com/watch?v=wQU-mWvNSiI">DORA metrics and value stream analytics</a>. </div> <figure class="video-container"> - <iframe src="https://www.youtube.com/embed/wQU-mWvNSiI" frameborder="0" allowfullscreen="true"> </iframe> + <iframe src="https://www.youtube-nocookie.com/embed/wQU-mWvNSiI" frameborder="0" allowfullscreen> </iframe> </figure> ### How value stream analytics aggregates data |
