diff options
Diffstat (limited to 'doc/user/group')
34 files changed, 452 insertions, 257 deletions
diff --git a/doc/user/group/access_and_permissions.md b/doc/user/group/access_and_permissions.md index 53a62a60157..e08cfea7095 100644 --- a/doc/user/group/access_and_permissions.md +++ b/doc/user/group/access_and_permissions.md @@ -1,7 +1,7 @@ --- stage: Data Stores group: Tenant Scale -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Group access and permissions @@ -303,7 +303,7 @@ To create group links via filter: LDAP user permissions can be manually overridden by an administrator. To override a user's permissions: 1. On the left sidebar, select **Search or go to** and find your group. -1. On the left sidebar, select **Manage > Members**. If LDAP synchronization +1. Select **Manage > Members**. If LDAP synchronization has granted a user a role with: - More permissions than the parent group membership, that user is displayed as having [direct membership](../project/members/index.md#display-direct-members) of the group. diff --git a/doc/user/group/clusters/index.md b/doc/user/group/clusters/index.md index 5c0844dff92..ded99f7c936 100644 --- a/doc/user/group/clusters/index.md +++ b/doc/user/group/clusters/index.md @@ -1,8 +1,7 @@ --- -type: reference stage: Deploy group: Environments -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Group-level Kubernetes clusters (certificate-based) (deprecated) **(FREE ALL)** diff --git a/doc/user/group/compliance_frameworks.md b/doc/user/group/compliance_frameworks.md index 7258791a983..4a03db33a86 100644 --- a/doc/user/group/compliance_frameworks.md +++ b/doc/user/group/compliance_frameworks.md @@ -1,7 +1,7 @@ --- stage: Govern group: Compliance -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Compliance frameworks **(PREMIUM ALL)** @@ -25,7 +25,7 @@ or deleted at the subgroup or project level. Project owners can choose a framewo ## Add a compliance framework to a project -Prerequisite: +Prerequisites: - The group to which the project belongs must have a compliance framework. @@ -336,7 +336,7 @@ cannot change them: non-modifiable and are always run. - Explicitly set any [variables](../../ci/yaml/index.md#variables) the job references. This: - Ensures that project-level pipeline configurations do not set them and alter their - behavior. + behavior. For example, see `before_script` and `after_script` configuration in the [example configuration](#example-configuration). - Includes any jobs that drive the logic of your job. - Explicitly set the [container image](../../ci/yaml/index.md#image) to run the job in. This ensures that your script steps execute in the correct environment. diff --git a/doc/user/group/contribution_analytics/index.md b/doc/user/group/contribution_analytics/index.md index 96cc9ce974c..6d8d209986c 100644 --- a/doc/user/group/contribution_analytics/index.md +++ b/doc/user/group/contribution_analytics/index.md @@ -1,8 +1,7 @@ --- -type: reference stage: Plan group: Optimize -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Contribution analytics **(PREMIUM ALL)** diff --git a/doc/user/group/custom_project_templates.md b/doc/user/group/custom_project_templates.md index 967ba4e05d0..07158a0c06f 100644 --- a/doc/user/group/custom_project_templates.md +++ b/doc/user/group/custom_project_templates.md @@ -1,7 +1,7 @@ --- stage: Create group: Source Code -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Custom group-level project templates **(PREMIUM ALL)** @@ -21,7 +21,7 @@ You can also configure [custom templates for the instance](../../administration/ ## Set up group-level project templates -Prerequisite: +Prerequisites: - You must have the Owner role for the group. @@ -40,7 +40,7 @@ Projects in nested subgroups are not included in the template list. ## Which projects are available as templates - Public and internal projects can be selected by any authenticated user as a template for a new project, - if all [project features](../project/settings/index.md#configure-project-features-and-permissions) + if all [project features](../project/settings/project_features_permissions.md#configure-project-features-and-permissions) except for **GitLab Pages** and **Security and Compliance** are set to **Everyone With Access**. - Private projects can be selected only by users who are members of the projects. diff --git a/doc/user/group/devops_adoption/index.md b/doc/user/group/devops_adoption/index.md index 5359d7b52a0..cdb11bb0548 100644 --- a/doc/user/group/devops_adoption/index.md +++ b/doc/user/group/devops_adoption/index.md @@ -1,7 +1,7 @@ --- stage: Plan group: Optimize -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Group DevOps Adoption **(ULTIMATE ALL)** @@ -30,7 +30,7 @@ how to use those features. ## View DevOps Adoption -Prerequisite: +Prerequisites: - You must have at least the Reporter role for the group. diff --git a/doc/user/group/epics/epic_boards.md b/doc/user/group/epics/epic_boards.md index 69b64861bd5..0547f947419 100644 --- a/doc/user/group/epics/epic_boards.md +++ b/doc/user/group/epics/epic_boards.md @@ -1,7 +1,7 @@ --- stage: Plan group: Product Planning -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Epic boards **(PREMIUM ALL)** @@ -17,10 +17,10 @@ labels. On the top of each list, you can see the number of epics in the list (**{epic}**) and the total weight of all its epics (**{weight}**). <div class="video-fallback"> - See the video: <a href="https://www.youtube.com/watch?v=I1bFIAQBHB8">Epics and Issue Boards - Project Management</a>. + See the video: <a href="https://www.youtube.com/watch?v=eQUnHwbKEkY">Epics and Issue Boards - Project Management</a>. </div> <figure class="video-container"> - <iframe src="https://www.youtube-nocookie.com/embed/I1bFIAQBHB8" frameborder="0" allowfullscreen> </iframe> + <iframe src="https://www.youtube-nocookie.com/embed/eQUnHwbKEkY" frameborder="0" allowfullscreen> </iframe> </figure> To view an epic board: diff --git a/doc/user/group/epics/index.md b/doc/user/group/epics/index.md index 83d38dbc70b..c524490eb0b 100644 --- a/doc/user/group/epics/index.md +++ b/doc/user/group/epics/index.md @@ -1,7 +1,7 @@ --- stage: Plan group: Product Planning -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Epics **(PREMIUM ALL)** @@ -20,10 +20,10 @@ Use epics: - To discuss and collaborate on feature ideas and scope at a high level. <div class="video-fallback"> - See the video: <a href="https://www.youtube.com/watch?v=kdE-yb6Puuo">GitLab Epics - Setting up your Organization with GitLab</a>. + See the video: <a href="https://www.youtube.com/watch?v=c0EwYYUZppw">GitLab Epics - Setting up your Organization with GitLab</a>. </div> <figure class="video-container"> - <iframe src="https://www.youtube-nocookie.com/embed/kdE-yb6Puuo" frameborder="0" allowfullscreen> </iframe> + <iframe src="https://www.youtube-nocookie.com/embed/c0EwYYUZppw" frameborder="0" allowfullscreen> </iframe> </figure> ## Relationships between epics and issues diff --git a/doc/user/group/epics/linked_epics.md b/doc/user/group/epics/linked_epics.md index 8b57c1b4d1f..fb63e851a69 100644 --- a/doc/user/group/epics/linked_epics.md +++ b/doc/user/group/epics/linked_epics.md @@ -1,7 +1,7 @@ --- stage: Plan group: Product Planning -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Linked epics **(ULTIMATE ALL)** diff --git a/doc/user/group/epics/manage_epics.md b/doc/user/group/epics/manage_epics.md index a5cc3ad9070..9cdebdd7d9d 100644 --- a/doc/user/group/epics/manage_epics.md +++ b/doc/user/group/epics/manage_epics.md @@ -1,8 +1,7 @@ --- -type: howto stage: Plan group: Product Planning -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Manage epics **(PREMIUM ALL)** diff --git a/doc/user/group/import/index.md b/doc/user/group/import/index.md index 24d5ca5b214..28878855098 100644 --- a/doc/user/group/import/index.md +++ b/doc/user/group/import/index.md @@ -1,7 +1,7 @@ --- stage: Manage group: Import and Integrate -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Migrating GitLab groups **(FREE ALL)** @@ -76,7 +76,7 @@ Estimating the duration of migration by direct transfer is difficult. The follow very different amounts of time to migrate if one of the projects has a lot more attachments, comments, and other items on the merge requests. Therefore, the number of merge requests on a project is a poor predictor of how long a project will take to migrate. -There’s no exact formula to reliably estimate a migration. However, the average durations of each pipeline worker importing a project relation can help you to get an idea of how long importing your projects might take: +There's no exact formula to reliably estimate a migration. However, the average durations of each pipeline worker importing a project relation can help you to get an idea of how long importing your projects might take: | Project resource type | Average time (in seconds) to import a record | |:----------------------------|:---------------------------------------------| @@ -113,6 +113,8 @@ If you are migrating large projects and encounter problems with timeouts or dura ### Limits +> Eight hour time limit on migrations [removed](https://gitlab.com/gitlab-org/gitlab/-/issues/429867) in GitLab 16.7. + Hardcoded limits apply on migration by direct transfer. | Limit | Description | @@ -121,7 +123,6 @@ Hardcoded limits apply on migration by direct transfer. | 210 seconds | Maximum number of seconds to wait for decompressing an archive file. | | 50 MB | Maximum length an NDJSON row can have. | | 5 minutes | Maximum number of seconds until an empty export status on source instance is raised. | -| 8 hours | Time until migration times out. | [Configurable limits](../../../administration/settings/account_and_limit_settings.md) are also available. @@ -173,9 +174,12 @@ To migrate groups by direct transfer: - For GitLab 15.0 and earlier source instances, the personal access token must have both the `api` and `read_repository` scopes. - You must have the Owner role on the source group to migrate from. -- Your must have a role on the destination namespace the enables you to +- You must have a role in the destination namespace that enables you to [create a subgroup](../../group/subgroups/index.md#create-a-subgroup) in that namespace. +- To import items stored in object storage, you must either: + - [Configure `proxy_download`](../../../administration/object_storage.md#configure-the-common-parameters). + - Ensure that the destination GitLab instance has access to the object storage of the source GitLab instance. ### Prepare user accounts @@ -201,7 +205,7 @@ Create the group you want to import to and connect the source GitLab instance: - A new subgroup. On existing group's page, either: - Select **New subgroup**. - On the left sidebar, at the top, select **Create new** (**{plus}**) and **New subgroup**. Then select the **import an existing group** link. -1. Enter the URL of a GitLab instance running GitLab 14.0 or later. +1. Enter the base URL of a GitLab instance running GitLab 14.0 or later. 1. Enter the [personal access token](../../../user/profile/personal_access_tokens.md) for your source GitLab instance. 1. Select **Connect instance**. @@ -226,6 +230,8 @@ ready for production use. ### Group import history +> **Partially completed** status [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/394727) in GitLab 16.7. + You can view all groups migrated by you by direct transfer listed on the group import history page. This list includes: - Paths of source groups. @@ -249,7 +255,7 @@ To view group import history: To review the results of an import: 1. Go to the [Group import history page](#group-import-history). -1. To see the details of a failed import, select the **See failures** link on any import with a **Failed** status. +1. To see the details of a failed import, select the **See failures** link on any import with a **Failed** or **Partially completed** status. ### Migrated group items @@ -433,7 +439,7 @@ Some project items are excluded from migration because they either: - Environments - Feature flags - Infrastructure Registry - - Package Registry + - Package registry - Pages domains - Remote mirrors @@ -613,15 +619,14 @@ sure these users exist before importing the desired groups. ### Enable export for a group -Prerequisite: +Prerequisites: - You must have the Owner role for the group. To enable import and export for a group: -1. On the left sidebar, select **Search or go to**. -1. Select **Admin Area**. -1. On the left sidebar, select **Settings > General**. +1. On the left sidebar, at the bottom, select **Admin Area**. +1. Select **Settings > General**. 1. Expand **Visibility and access controls**. 1. In the **Import sources** section, select the checkboxes for the sources you want. @@ -662,7 +667,7 @@ NOTE: The maximum import file size can be set by the administrator, default is `0` (unlimited). As an administrator, you can modify the maximum import file size. To do so, use the `max_import_size` option in the [Application settings API](../../../api/settings.md#change-application-settings) or the -[Admin Area](../../admin_area/settings/account_and_limit_settings.md). +[Admin Area](../../../administration/settings/account_and_limit_settings.md). Default [modified](https://gitlab.com/gitlab-org/gitlab/-/issues/251106) from 50 MB to 0 in GitLab 13.8. ### Rate limits diff --git a/doc/user/group/index.md b/doc/user/group/index.md index 1a4fa9df305..f4b4f9f2d39 100644 --- a/doc/user/group/index.md +++ b/doc/user/group/index.md @@ -1,7 +1,7 @@ --- stage: Data Stores group: Tenant Scale -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Groups **(FREE ALL)** @@ -32,7 +32,7 @@ A single top-level group provides insights in your entire organization via a com ## Group visibility -Like projects, a group can be configured to limit the visibility of it to: +Like projects, a group can be configured to be visible to: - Anonymous users. - All authenticated users. @@ -42,30 +42,30 @@ The restriction for [visibility levels](../../administration/settings/visibility on the application setting level also applies to groups. If set to internal, the explore page is empty for anonymous users. The group page has a visibility level icon. -Administrator users cannot create a subgroup or project with a higher visibility level than that of +Users cannot create a subgroup or project with a higher visibility level than that of the immediate parent group. ## View groups -To explore all public groups: +To explore all public groups you are a member of: 1. On the left sidebar, select **Search or go to**. 1. Select **View all my groups**. -1. At the top right, select **Explore groups**. +1. In the upper right, select **Explore groups**. -To view groups where you have a direct or indirect membership: +To view groups where you have direct or indirect membership: 1. On the left sidebar, select **Search or go to**. 1. Select **View all my groups**. -This page shows groups that you are a member of: +This page shows groups that you are a member of through: -- Through membership of a subgroup's parent group. -- Through direct or inherited membership of a project in the group or subgroup. +- Membership of a subgroup's parent group. +- Direct or inherited membership of a project in the group or subgroup. ## View group activity -To view the activity of a project: +To view the activity of a group: 1. On the left sidebar, select **Search or go to** and find your group. 1. Select **Manage > Activity**. @@ -75,7 +75,6 @@ To view the activity of a project: - **Push events**: Push events in the group's projects. - **Merge events**: Accepted merge requests in the group's projects. - **Issue events**: Issues opened and closed in the group's projects. - - **Epic events**: Epics opened and closed in the group. - **Comments**: Comments posted by group members in the group's projects. - **Wiki**: Updates to wiki pages in the group. - **Designs**: Designs added, updated, and removed in the group's projects. @@ -87,19 +86,52 @@ To create a group: 1. On the left sidebar, at the top, select **Create new** (**{plus}**) and **New group**. 1. Select **Create group**. -1. Enter a name for the group in **Group name**. For a list of words that cannot be used as group names, see +1. In the **Group name** text box, enter the name of the group. For a list of words that cannot be used as group names, see [reserved names](../reserved_names.md). -1. Enter a path for the group in **Group URL**, which is used for the [namespace](../namespace/index.md). -1. Choose the [visibility level](../public_access.md). -1. Personalize your GitLab experience by answering the following questions: - - What is your role? - - Who is using this group? - - What are you using this group for? -1. Invite GitLab members or other users to join the group. +1. In the **Group URL** text box, enter the path for the group used for the [namespace](../namespace/index.md). +1. Select the [**Visibility level**](../public_access.md) of the group. +1. Optional. To personalize your GitLab experience: + - From the **Role** dropdown list, select your role. + - For **Who will be using this group?**, select an option. + - From the **What will you use this group for?** dropdown list, select an option. +1. Optional. To invite members to the group, in the **Email 1** text box, enter the email address of the user you want to invite. To invite more users, select **Invite another member** and enter the user's email address. +1. Select **Create group**. <i class="fa fa-youtube-play youtube" aria-hidden="true"></i> For details about groups, watch [GitLab Namespaces (users, groups and subgroups)](https://youtu.be/r0sJgjR2f5A). +## Edit group name and description + +You can edit your group details from the group general settings. + +Prerequisites: + +- You must have the Owner role for the group. + +To edit group details: + +1. On the left sidebar, select **Search or go to** and find your group. +1. Select **Settings > General**. +1. In the **Group name** text box, enter your group name. See the [limitations on group names](../../user/reserved_names.md). +1. Optional. In the **Group description (optional)** text box, enter your group description. + The description is limited to 500 characters. +1. Select **Save changes**. + +## Leave a group + +> The button to leave a group [moved](https://gitlab.com/gitlab-org/gitlab/-/issues/431539) to the Actions menu in GitLab 16.7. + +When you leave a group: + +- You are no longer a member of the group, its subgroups, and projects, and cannot contribute. +- All the issues and merge requests that were assigned to you are unassigned. + +To leave a group: + +1. On the left sidebar, select **Search or go to** and find your group. +1. On the group overview page, in the upper-right corner, select **Actions** (**{ellipsis_v})**. +1. Select **Leave group**, then **Leave group** again. + ## Remove a group > Enabled delayed deletion by default and removed the option to delete immediately [on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/393622) and [on self-managed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119606) in GitLab 16.0. @@ -107,23 +139,19 @@ For details about groups, watch [GitLab Namespaces (users, groups and subgroups) To remove a group and its contents: 1. On the left sidebar, select **Search or go to** and find your group. -1. On the left sidebar, select **Settings > General**. +1. Select **Settings > General**. 1. Expand the **Advanced** section. 1. In the **Remove group** section, select **Remove group**. -1. Type the group name. -1. Select **Confirm**. +1. On the confirmation dialog, type the group name and select **Confirm**. -A group can also be removed from the groups dashboard: +You can also remove a group from the groups dashboard: 1. On the left sidebar, select **Search or go to**. 1. Select **View all my groups**. 1. Select (**{ellipsis_v}**) for the group you want to delete. 1. Select **Delete**. -1. In the Remove group section, select **Remove group**. -1. Type the group name. -1. Select **Confirm**. - -This action removes the group. It also adds a background job to delete all projects in the group. +1. In the **Remove group** section, select **Remove group**. +1. On the confirmation dialog, type the group name and select **Confirm**. In [GitLab 12.8 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/33257), on GitLab [Premium](https://about.gitlab.com/pricing/premium/) and [Ultimate](https://about.gitlab.com/pricing/ultimate/), this action adds a background job to mark a group for deletion. By default, the job schedules the deletion seven days in the future. You can modify this retention period through the [instance settings](../../administration/settings/visibility_and_access_controls.md#deletion-protection). @@ -146,11 +174,10 @@ To immediately remove a group marked for deletion: 1. On the left sidebar, select **Search or go to** and find your group. 1. Select **Settings > General**. 1. Expand **Advanced**. -1. In the "Permanently remove group" section, select **Remove group**. +1. In the **Permanently remove group** section, select **Remove group**. 1. Confirm the action when asked to. -Your group, its subgroups, projects, and all related resources, including issues and merge requests, -are deleted. +This action deletes the group, its subgroups, projects, and all related resources, including issues and merge requests. ## Restore a group **(PREMIUM ALL)** @@ -161,7 +188,7 @@ To restore a group that is marked for deletion: 1. On the left sidebar, select **Search or go to** and find your group. 1. Select **Settings > General**. 1. Expand the **Advanced** section. -1. In the Restore group section, select **Restore group**. +1. In the **Restore group** section, select **Restore group**. ## Request access to a group @@ -169,12 +196,12 @@ As a user, you can request to be a member of a group, if an administrator allows 1. On the left sidebar, select **Search or go to**. 1. Select **View all my groups**. -1. At the top right side, select **Explore groups**. -1. Search for the group by name. +1. In the upper right, select **Explore groups**. +1. In the **Search by name** text box, enter the name of the group you want to join. 1. In the search results, select the name of the group. 1. On the group page, under the group name, select **Request Access**. -As many as ten of the most-recently-active group owners receive an email with your request. +Up to ten of the most recently active group owners receive an email with your request. Any group owner can approve or decline the request. If you change your mind before your request is approved, select @@ -189,16 +216,16 @@ To view a group's members: A table displays the member's: -- **Account** name and username +- **Account** name and username. - **Source** of their [membership](../project/members/index.md#membership-types). For transparency, GitLab displays all membership sources of group members. Members who have multiple membership sources are displayed and counted as separate members. For example, if a member has been added to the group both directly and through inheritance, the member is displayed twice in the **Members** table, with different sources, and is counted as two individual members of the group. -- [**Max role**](../project/members/index.md#which-roles-you-can-assign) in the group -- **Expiration** date of their group membership -- **Activity** related to their account +- [**Max role**](../project/members/index.md#which-roles-you-can-assign) in the group. +- **Expiration** date of their group membership. +- **Activity** related to their account. NOTE: The display of group members' **Source** might be inconsistent. @@ -223,11 +250,11 @@ In lists of group members, entries can display the following badges: 1. On the left sidebar, select **Search or go to** and find your group. 1. Select **Manage > Members**. -1. Above the list of members, in the **Filter members** box, enter filter criteria. - - To view members in the group only, select **Membership = Direct**. - - To view members of the group and its subgroups, select **Membership = Inherited**. - - To view members with two-factor authentication enabled or disabled, select **2FA = Enabled** or **Disabled**. - - To view members of the top-level group who are [enterprise users](../enterprise_user/index.md), select **Enterprise = true**. +1. Above the list of members, in the **Filter members** text box, enter your search criteria. To view: + - Direct members of the group, select **Membership = Direct**. + - Members of the group and its subgroups, select **Membership = Inherited**. + - Members with two-factor authentication enabled or disabled, select **2FA = Enabled** or **2FA = Disabled**. + - Members of the top-level group who are [enterprise users](../enterprise_user/index.md), select **Enterprise = true**. ### Search a group @@ -255,27 +282,43 @@ You can sort members by **Account**, **Access granted**, **Max role**, or **Last You can give a user access to all projects in a group. -Prerequisite: +Prerequisites: -- You must have the Owner role. +- You must have the Owner role for the group. 1. On the left sidebar, select **Search or go to** and find your group. 1. Select **Manage > Members**. 1. Select **Invite members**. -1. Fill in the fields. - - The role applies to all projects in the group. For more information, see [permissions](../permissions.md). - - Optional. Select an **Access expiration date**. From that date onward, the - user can no longer access the project. +1. If the user: + + - Has a GitLab account, enter the user's username. + - Doesn't have a GitLab account, enter the user's email address. + +1. Select a [role](../permissions.md). +1. Optional. For **Access expiration date**, enter or select a date. + From that date onward, the user can no longer access the project. + + If you enter an access expiration date, the group member gets an email notification + seven days before their access expires. + + WARNING: + If you give a member the Maintainer role and enter an expiration date, that member + has full permissions as long as they are in the role. These permissions include the member's ability + to extend their own time in the Maintainer role. + 1. Select **Invite**. + If you invite the user by their: -If you selected an access expiration date, the group member gets an email notification -seven days before their access expires. + - GitLab username, the user is added to the member list. + - Email address, the user receives an email invitation and is prompted to create an account. + If the invitation is not accepted, GitLab sends reminder emails two, five, and ten days later. + Unaccepted invites are automatically deleted after 90 days. Members that are not automatically added are displayed on the **Invited** tab. -Users can be on this tab because they: +This tab includes users who: - Have not yet accepted the invitation. -- Are waiting for [approval from an administrator](../admin_area/moderate_users.md). +- Are waiting for [approval from an administrator](../../administration/moderate_users.md). - [Exceed the group user cap](manage.md#user-cap-for-groups). ## Remove a member from the group @@ -293,21 +336,16 @@ To remove a member from a group: 1. Select **Manage > Members**. 1. Next to the member you want to remove, select the vertical ellipsis (**{ellipsis_v}**). 1. Select **Remove member**. -1. Optional. On the **Remove member** confirmation box: - - To remove direct user membership from subgroups and projects, select the **Also remove direct user membership from subgroups and projects** checkbox. - - To unassign the user from linked issues and merge requests, select the **Also unassign this user from linked issues and merge requests** checkbox. +1. Optional. On the **Remove member** confirmation dialog, select one or both checkboxes: + - **Also remove direct user membership from subgroups and projects** + - **Also unassign this user from linked issues and merge requests** 1. Select **Remove member**. -## Ensure removed users cannot invite themselves back - -Malicious users with the Maintainer or Owner role could exploit a race condition that allows -them to invite themselves back to a group or project that a GitLab administrator has removed them from. - -To avoid this problem, GitLab administrators can [ensure removed users cannot invite themselves back](../project/members/index.md#ensure-removed-users-cannot-invite-themselves-back). +GitLab administrators can also [ensure removed users cannot invite themselves back](../project/members/index.md#ensure-removed-users-cannot-invite-themselves-back). ## Add projects to a group -There are two different ways to add a new project to a group: +You can add a new project to a group in two ways: - Select a group, and then select **New project**. You can then continue [creating your project](../../user/project/index.md). - While you are creating a project, select a group from the dropdown list. @@ -316,13 +354,10 @@ There are two different ways to add a new project to a group: ### Specify who can add projects to a group -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/2534) in GitLab 10.5. -> - [Moved](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/25975) from GitLab Premium to GitLab Free in 11.10. - -By default, users with: +By default, users with at least the: -- At least the Developer role can create projects under a group. This default can be changed. -- At least the Maintainer role can fork projects into a group. This default prevents users with the Developer role from forking projects that +- Developer role can create projects under a group. This default can be changed. +- Maintainer role can fork projects into a group. This default prevents users with the Developer role from forking projects that contain protected branches and cannot be changed. To change the role that can create projects under a group: @@ -330,7 +365,19 @@ To change the role that can create projects under a group: 1. On the left sidebar, select **Search or go to** and find your group. 1. Select **Settings > General**. 1. Expand the **Permissions and group features** section. -1. Select the desired option in the **Roles allowed to create projects** dropdown list. +1. From **Roles allowed to create projects**, select an option. 1. Select **Save changes**. To change this setting globally, see [Default project creation protection](../../administration/settings/visibility_and_access_controls.md#define-which-roles-can-create-projects). + +## Get the group ID + +> Group ID [moved](https://gitlab.com/gitlab-org/gitlab/-/issues/431539) to the Actions menu in GitLab 16.7. + +You might need the group ID if you want to interact with it using the [GitLab API](../../api/index.md). + +To copy the group ID: + +1. On the left sidebar, select **Search or go to** and find your group. +1. On the group overview page, in the upper-right corner, select **Actions** (**{ellipsis_v})**. +1. Select **Copy group ID**. diff --git a/doc/user/group/insights/index.md b/doc/user/group/insights/index.md index 2ded1b08de2..6ca37cb9a2c 100644 --- a/doc/user/group/insights/index.md +++ b/doc/user/group/insights/index.md @@ -1,7 +1,7 @@ --- stage: Plan group: Optimize -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Insights for groups **(ULTIMATE ALL)** @@ -56,6 +56,16 @@ By default, insights display all available dimensions on the chart. To exclude a dimension, from the legend below the chart, select the name of the dimension. +### Drill down on charts + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/372215/) in GitLab 16.7. + +You can drill down into the data of the **Bugs created per month by priority** and **Bugs created per month by severity** charts from the [default configuration file](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/fixtures/insights/default.yml). + +To view a drill-down report of the data for a specific priority or severity in a month: + +- On the chart, select the bar stack you want to drill down on. + ## Configure group insights GitLab reads insights from the diff --git a/doc/user/group/issues_analytics/img/enhanced_issue_analytics_v16_7.png b/doc/user/group/issues_analytics/img/enhanced_issue_analytics_v16_7.png Binary files differnew file mode 100644 index 00000000000..519e56acaa5 --- /dev/null +++ b/doc/user/group/issues_analytics/img/enhanced_issue_analytics_v16_7.png diff --git a/doc/user/group/issues_analytics/img/issues_closed_analytics_v16_4.png b/doc/user/group/issues_analytics/img/issues_closed_analytics_v16_4.png Binary files differdeleted file mode 100644 index 5e1fe4eaa8c..00000000000 --- a/doc/user/group/issues_analytics/img/issues_closed_analytics_v16_4.png +++ /dev/null diff --git a/doc/user/group/issues_analytics/index.md b/doc/user/group/issues_analytics/index.md index 4f1c7b4be7a..28f4026b3e3 100644 --- a/doc/user/group/issues_analytics/index.md +++ b/doc/user/group/issues_analytics/index.md @@ -1,8 +1,7 @@ --- -type: reference stage: Plan group: Optimize -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Issue analytics for groups **(PREMIUM ALL)** @@ -16,7 +15,7 @@ prior. To access the chart: 1. On the left sidebar, select **Search or go to** and find your group. -1. On the left sidebar, select **Analyze > Issue analytics**. +1. Select **Analyze > Issue analytics**. You can also access the chart from the [Value Streams Dashboard](../../analytics/value_streams_dashboard.md) through the **New issues** drill-down report. @@ -50,7 +49,7 @@ available. This feature is not ready for production use. Enhanced issue analytics display the additional metric "Issues closed", which represents the total number of resolved issues in your group over a selected period. You can use this metric to improve the overall turn-around time and value delivered to your customers. - + ## Drill into the information diff --git a/doc/user/group/iterations/index.md b/doc/user/group/iterations/index.md index 8c0838cf33c..bfbba8cc0da 100644 --- a/doc/user/group/iterations/index.md +++ b/doc/user/group/iterations/index.md @@ -1,8 +1,7 @@ --- -type: reference stage: Plan group: Project Management -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Iterations **(PREMIUM ALL)** @@ -78,7 +77,7 @@ From there you can create a new iteration or select an iteration to get a more d NOTE: If a project has issue tracking -[turned off](../../project/settings/index.md#configure-project-features-and-permissions), +[turned off](../../project/settings/project_features_permissions.md#configure-project-features-and-permissions), to view the iterations list, enter its URL. To do so, add: `/-/cadences` to your project or group URL. For example `https://gitlab.com/gitlab-org/sample-data-templates/sample-gitlab-project/-/cadences`. This is tracked in [issue 339009](https://gitlab.com/gitlab-org/gitlab/-/issues/339009). @@ -179,7 +178,7 @@ Prerequisites: To create an iteration: 1. On the left sidebar, select **Search or go to** and find your group. -1. On the left sidebar, select **Plan > Iterations** and select an iteration cadence. +1. Select **Plan > Iterations** and select an iteration cadence. 1. Select **New iteration**. 1. Enter the title, a description (optional), a start date, and a due date. 1. Select **Create iteration**. The iteration details page opens. diff --git a/doc/user/group/manage.md b/doc/user/group/manage.md index 48f86ee4f0e..877db58b716 100644 --- a/doc/user/group/manage.md +++ b/doc/user/group/manage.md @@ -1,7 +1,7 @@ --- stage: Data Stores group: Tenant Scale -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Manage groups @@ -23,7 +23,7 @@ A single top-level group provides insights in your entire organization via a com As a group owner or member, you can use a README to provide more information about your team, and invite users to contribute to your projects. The README is displayed on the group overview page, and can be changed in the group settings. All group members can edit the README. -Prerequisite: +Prerequisites: - To create the README from the group settings, you must have the Owner role for the group. @@ -53,20 +53,15 @@ member with the Owner role. ## Change a group's path -Changing a group's path (group URL) can have unintended side effects. Read -[how redirects behave](../project/repository/index.md#what-happens-when-a-repository-path-changes) +Changing a group's path (group URL) can have unintended side effects. Read how redirects behave +[on the project-level](../project/repository/index.md#what-happens-when-a-repository-path-changes) +and [in the API](../../api/rest/index.md#redirects) before you proceed. If you are changing the path so it can be claimed by another group or user, you must rename the group too. Both names and paths must be unique. -After you change the group path, the new group path is a new namespace and you must update the existing project URL in the following resources: - -- [Include statements](../../ci/yaml/includes.md#include-a-single-configuration-file). -- Docker image references in CI files. -- Variables that specify a project or namespace. - To retain ownership of the original namespace and protect the URL redirects, create a new group and transfer projects to it instead. @@ -83,6 +78,11 @@ It is not possible to rename a namespace if it contains a project with [Container Registry](../packages/container_registry/index.md) tags, because the project cannot be moved. +WARNING: +To ensure that groups with thousands of subgroups get processed correctly, you should test the path change in a test environment. +Consider increasing the [Puma worker timeout](../../administration/operations/puma.md#change-the-worker-timeout) temporarily. +For more information about our solution to mitigate this timeout risk, see [issue 432065](https://gitlab.com/gitlab-org/gitlab/-/issues/432065). + ## Change the default branch protection of a group > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/7583) in GitLab 12.9. @@ -231,7 +231,7 @@ To disable group mentions: You can export a list of members in a group or subgroup as a CSV. 1. On the left sidebar, select **Search or go to** and find your group or subgroup. -1. On the left sidebar, **Manage > Members**. +1. Select **Manage > Members**. 1. Select **Export as CSV**. 1. After the CSV file has been generated, it is emailed as an attachment to the user that requested it. @@ -254,7 +254,7 @@ disabled for the group and its subgroups. ### Specify a user cap for a group -Prerequisite: +Prerequisites: - You must be assigned the Owner role for the group. @@ -276,7 +276,7 @@ Increasing the user cap does not approve pending members. You can remove the user cap, so there is no limit on the number of members you can add to a group. -Prerequisite: +Prerequisites: - You must be assigned the Owner role for the group. @@ -297,14 +297,14 @@ and must be approved. Pending members do not count as billable. Members count as billable only after they have been approved and are no longer in a pending state. -Prerequisite: +Prerequisites: -- You must be assigned the Owner role) for the group. +- You must be assigned the Owner role for the group. To approve members that are pending because they've exceeded the user cap: 1. On the left sidebar, select **Search or go to** and find your group. -1. On the left sidebar, select **Settings > Usage Quotas**. +1. Select **Settings > Usage Quotas**. 1. On the **Seats** tab, under the alert, select **View pending approvals**. 1. For each member you want to approve, select **Approve**. @@ -322,7 +322,7 @@ User cap doesn’t consider whether users are billable or not (e.g., Free Guest Use group file templates to share a set of templates for common file types with every project in a group. It is analogous to the -[instance template repository](../admin_area/settings/instance_template_repository.md). +[instance template repository](../../administration/settings/instance_template_repository.md). The selected project should follow the same naming conventions as are documented on that page. @@ -390,7 +390,7 @@ You can configure [skipped pipelines](../../ci/pipelines/index.md#skip-a-pipelin See also [the project-level setting](../project/merge_requests/merge_when_pipeline_succeeds.md#allow-merge-after-skipped-pipelines). -Prerequisite: +Prerequisites: - You must be the owner of the group. @@ -409,7 +409,7 @@ To change this behavior: You can prevent merge requests from being merged until all threads are resolved. When this setting is enabled, for all child projects in your group, the **Unresolved threads** count in a merge request is shown in orange when at least one thread remains unresolved. -Prerequisite: +Prerequisites: - You must be the owner of the group. @@ -443,7 +443,7 @@ Approval settings should not be confused with [approval rules](../project/merge_ for the ability to set merge request approval rules for groups is tracked in [epic 4367](https://gitlab.com/groups/gitlab-org/-/epics/4367). -## Enable Code Suggestions **(FREE SAAS)** +## Enable Code Suggestions for a group **(FREE SAAS)** > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/405126) in GitLab 15.11. > - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/408158) from GitLab Ultimate to GitLab Premium in 16.0. @@ -454,12 +454,9 @@ This feature is in [Beta](../../policy/experiment-beta-support.md#beta). Beta users should read about the [known limitations](../project/repository/code_suggestions/index.md#known-limitations). We look forward to hearing your [feedback](../project/repository/code_suggestions/index.md#feedback). -You can give all users in a group and its subgroups access to [Code Suggestions](../project/repository/code_suggestions/index.md). - -- This setting - [cascades to all projects](../project/merge_requests/approvals/settings.md#settings-cascading) in the group. -- Each user can - [enable Code Suggestions](../../user/profile/preferences.md#enable-code-suggestions). +You can give all users in a group and its subgroups access to +[Code Suggestions](../project/repository/code_suggestions/index.md). This setting +[cascades to all projects](../project/merge_requests/approvals/settings.md#settings-cascading) in the group. Code Suggestions are enabled by default at the group level. @@ -471,6 +468,9 @@ To update this setting: 1. Under **Code Suggestions**, select the **Projects in this group can use Code Suggestions** checkbox. 1. Select **Save changes**. +Individual users can disable Code Suggestions by disabling the feature in their +[installed IDE editor extension](../project/repository/code_suggestions/index.md#supported-editor-extensions). + ## Enable Experiment and Beta features **(ULTIMATE SAAS)** > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118222) in GitLab 16.0. @@ -509,7 +509,7 @@ Changes to [group wikis](../project/wiki/group.md) do not appear in group activi You can view the most recent actions taken in a group, either in your browser or in an RSS feed: 1. On the left sidebar, select **Search or go to** and find your group. -1. On the left sidebar, select **Manage > Activity**. +1. Select **Manage > Activity**. To view the activity feed in Atom format, select the **RSS** (**{rss}**) icon. diff --git a/doc/user/group/moderate_users.md b/doc/user/group/moderate_users.md index 6859125b323..38d83c6b5f7 100644 --- a/doc/user/group/moderate_users.md +++ b/doc/user/group/moderate_users.md @@ -1,16 +1,23 @@ --- stage: Govern group: Anti-Abuse -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- -# Moderate users **(FREE ALL)** +# Moderate users **(ULTIMATE SAAS)** > [Introduced](https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/155) in GitLab 15.8. This is the group-level documentation. For self-managed instances, see the [administration documentation](../../administration/moderate_users.md). A group Owner can moderate user access by banning and unbanning users. +You should ban a user when you want to block them from the group. + +A banned user: + +- Cannot access the group or any of repositories. +- Cannot use [slash commands](../project/integrations/gitlab_slack_application.md#slash-commands). +- Does not occupy a [seat](../free_user_limit.md). ## Unban a user diff --git a/doc/user/group/planning_hierarchy/index.md b/doc/user/group/planning_hierarchy/index.md index 17552ceaf88..3cfcba066c7 100644 --- a/doc/user/group/planning_hierarchy/index.md +++ b/doc/user/group/planning_hierarchy/index.md @@ -1,8 +1,7 @@ --- -type: reference stage: Plan group: Product Planning -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Planning hierarchies **(PREMIUM ALL)** diff --git a/doc/user/group/reporting/git_abuse_rate_limit.md b/doc/user/group/reporting/git_abuse_rate_limit.md index d32524b8f5f..e00602aeacd 100644 --- a/doc/user/group/reporting/git_abuse_rate_limit.md +++ b/doc/user/group/reporting/git_abuse_rate_limit.md @@ -1,7 +1,7 @@ --- stage: Govern group: Anti-Abuse -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Git abuse rate limit **(ULTIMATE ALL)** @@ -11,7 +11,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w FLAG: On self-managed GitLab, by default this feature is not available. To make it available, an administrator can [enable the feature flag](../../../administration/feature_flags.md) named `limit_unique_project_downloads_per_namespace_user`. On GitLab.com, this feature is available. -This is the group-level documentation. For self-managed instances, see the [administration documentation](../../admin_area/reporting/git_abuse_rate_limit.md). +This is the group-level documentation. For self-managed instances, see the [administration documentation](../../../administration/reporting/git_abuse_rate_limit.md). Git abuse rate limiting is a feature to automatically ban users who download, clone, pull, fetch, or fork more than a specified number of repositories of a group in a given time frame. Banned users cannot access the top-level group or any of its non-public subgroups via HTTP or SSH. The rate limit also applies to users who authenticate with [personal](../../../user/profile/personal_access_tokens.md) or [group access tokens](../../../user/group/settings/group_access_tokens.md), as well as [CI/CD job tokens](../../../ci/jobs/ci_job_token.md). Access to unrelated groups is unaffected. diff --git a/doc/user/group/repositories_analytics/index.md b/doc/user/group/repositories_analytics/index.md index 6f02b27a214..baeab5b0bbc 100644 --- a/doc/user/group/repositories_analytics/index.md +++ b/doc/user/group/repositories_analytics/index.md @@ -1,7 +1,7 @@ --- stage: Verify group: Pipeline Execution -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Repositories analytics for groups **(PREMIUM ALL)** diff --git a/doc/user/group/roadmap/index.md b/doc/user/group/roadmap/index.md index 89d461127e7..6af2a234447 100644 --- a/doc/user/group/roadmap/index.md +++ b/doc/user/group/roadmap/index.md @@ -1,7 +1,7 @@ --- stage: Plan group: Product Planning -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Roadmap **(PREMIUM ALL)** diff --git a/doc/user/group/saml_sso/example_saml_config.md b/doc/user/group/saml_sso/example_saml_config.md index 86ad2ba32d1..46666abe366 100644 --- a/doc/user/group/saml_sso/example_saml_config.md +++ b/doc/user/group/saml_sso/example_saml_config.md @@ -1,8 +1,7 @@ --- stage: Govern group: Authentication -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments -type: reference +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Example group SAML and SCIM configurations **(PREMIUM SAAS)** @@ -41,9 +40,6 @@ This section has screenshots for the elements of Azure Active Directory configur  -NOTE: -Attribute names starting with phrases such as `http://schemas.microsoft.com/ws/2008/06/identity/claims/` are not supported. - ### SCIM mapping Provisioning: diff --git a/doc/user/group/saml_sso/group_sync.md b/doc/user/group/saml_sso/group_sync.md index 7b10da016b9..144d927f7e5 100644 --- a/doc/user/group/saml_sso/group_sync.md +++ b/doc/user/group/saml_sso/group_sync.md @@ -1,8 +1,7 @@ --- -type: reference, howto stage: Govern group: Authentication -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # SAML Group Sync **(PREMIUM ALL)** @@ -77,11 +76,26 @@ example configurations for [Azure AD](../../../user/group/saml_sso/example_saml_ ## Configure SAML Group Links -When SAML is enabled, users with the Maintainer or Owner role -see a new menu item in group **Settings > SAML Group Links**. You can configure one or more **SAML Group Links** to map -a SAML identity provider group name to a GitLab role. This can be done for a top-level group or any subgroup. +When SAML is enabled, users with the Maintainer or Owner role see a new menu +item in group **Settings > SAML Group Links**. -SAML Group Sync only manages a group if that group has one or more SAML group links. If a SAML group link is created then removed, the user remains in the group until they are removed from the group in the identity provider. +- You can configure one or more **SAML Group Links** to map a SAML identity + provider group name to a GitLab role. +- Members of the SAML identity provider group are added as members of the GitLab + group on their next SAML sign-in. +- Group membership is evaluated each time a user signs in using SAML. +- SAML Group Links can be configured for a top-level group or any subgroup. +- SAML Group Sync only manages a group if that group has one or more SAML group + links. If a SAML group link is created then removed, and there are: + - Other SAML group links configured, users that were in the removed group + link are automatically removed from the group during sync. + - No other SAML group links configured, users remain in the group during sync. + Those users must be manually removed from the group. + +Prerequisites: + +- Self-managed GitLab instances must have configured SAML Group Sync. GitLab.com + instances are already configured for SAML Group Sync, and require no extra configuration. To link the SAML groups: @@ -104,8 +118,6 @@ Users granted: - A lower or the same role with Group Sync are displayed as having [inherited membership](../../project/members/index.md#display-inherited-members) of the group. -SAML group membership is evaluated each time a user signs in. - ### Use the API > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/290367) in GitLab 15.3. @@ -171,8 +183,7 @@ To configure for a GitLab.com group: To configure for self-managed: 1. Configure [SAML SSO for the instance](../../../integration/saml.md). -1. On the left sidebar, select **Search or go to**. -1. Select **Admin Area**. +1. On the left sidebar, at the bottom, select **Admin Area**. 1. Select **Settings > General**. 1. In the **Microsoft Azure integration** section, select the **Enable Microsoft Azure integration for this group** checkbox. 1. Enter the **Tenant ID**, **Client ID**, and **Client secret** obtained earlier when configuring Azure Active Directory in the Azure Portal. @@ -202,11 +213,10 @@ When global group memberships lock is enabled: To enable global group memberships lock: 1. [Configure SAML](../../../integration/saml.md) for your self-managed GitLab instance. -1. On the left sidebar, select **Search or go to**. -1. Select **Admin Area**. -1. On the left sidebar, select **Settings > General**. +1. On the left sidebar, at the bottom, select **Admin Area**. +1. Select **Settings > General**. 1. Expand the **Visibility and access controls** section. -1. Ensure the **Lock memberships to SAML synchronization** checkbox is selected. +1. Ensure that **Lock memberships to SAML Group Links synchronization** is selected. ## Automatic member removal diff --git a/doc/user/group/saml_sso/index.md b/doc/user/group/saml_sso/index.md index 70af800b180..6f1ab305782 100644 --- a/doc/user/group/saml_sso/index.md +++ b/doc/user/group/saml_sso/index.md @@ -1,7 +1,7 @@ --- stage: Govern group: Authentication -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # SAML SSO for GitLab.com groups **(PREMIUM SAAS)** @@ -179,6 +179,9 @@ To set up OneLogin as your identity provider: ### Configure assertions +NOTE: +The attributes are case-sensitive. + At minimum, you must configure the following assertions: 1. [NameID](#manage-user-saml-identity). @@ -192,9 +195,6 @@ Optionally, you can pass user information to GitLab as attributes in the SAML as For more information, see the [attributes available for self-managed GitLab instances](../../../integration/saml.md#configure-assertions). -NOTE: -Attribute names starting with phrases such as `http://schemas.microsoft.com/ws/2008/06/identity/claims/` are not supported. For more information on configuring required attribute names in the SAML identity provider's settings, see [example group SAML and SCIM configurations](../../../user/group/saml_sso/example_saml_config.md). - ### Use metadata To configure some identity providers, you need a GitLab metadata URL. @@ -236,6 +236,8 @@ If the **NameID** is configured with the email address, [change the **NameID** f ## Configure GitLab +> Ability to set a custom role as the default membership role [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/417285) in GitLab 16.7. + After you set up your identity provider to work with GitLab, you must configure GitLab to use it for authentication: 1. On the left sidebar, select **Search or go to** and find your group. @@ -244,9 +246,12 @@ After you set up your identity provider to work with GitLab, you must configure - In the **Identity provider single sign-on URL** field, enter the SSO URL from your identity provider. - In the **Certificate fingerprint** field, enter the fingerprint for the SAML token signing certificate. 1. In the **Default membership role** field, select the role to assign to new users. - The default role is **Guest**. In [GitLab 13.3](https://gitlab.com/gitlab-org/gitlab/-/issues/214523) - and later, group owners can set a default membership role other than **Guest**. - That role becomes the starting role of all users added to the group. + The default role is **Guest**. That role becomes the starting role of all users + added to the group: + - In [GitLab 13.3](https://gitlab.com/gitlab-org/gitlab/-/issues/214523) and + later, group Owners can set a default membership role other than **Guest**. + - In GitLab 16.7 and later, group Owners can set a [custom role](../../custom_roles.md) + as the default membership role. 1. Select the **Enable SAML authentication for this group** checkbox. 1. Optional. Select: - **Enforce SSO-only authentication for web activity for this group**. @@ -349,25 +354,22 @@ breaks the configuration and could lock users out of the GitLab group. For more information on the recommended value and format for specific identity providers, see [set up your identity provider](#set-up-your-identity-provider). -### Configure user settings from SAML response +### Configure enterprise user settings from SAML response -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/263661) in GitLab 13.7. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/263661) in GitLab 13.7. +> - [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/412898) to configure only enterprise user settings in GitLab 16.7. GitLab allows setting certain user attributes based on values from the SAML response. An existing user's attributes are updated from the SAML response values if that -user was originally provisioned by the group. Users are provisioned by the group -when the account was created either: - -- Through [SCIM](scim_setup.md). -- By first sign-in with SAML SSO for GitLab.com groups. +user is an [enterprise user](../../enterprise_user/index.md) of the group. #### Supported user attributes -- **can_create_group** - `true` or `false` to indicate whether the user can create +- **can_create_group** - `true` or `false` to indicate whether an enterprise user can create new top-level groups. Default is `true`. -- **projects_limit** - The total number of personal projects a user can create. +- **projects_limit** - The total number of personal projects an enterprise user can create. A value of `0` means the user cannot create new projects in their personal - namespace. Default is `10000`. + namespace. Default is `100000`. #### Example SAML response diff --git a/doc/user/group/saml_sso/scim_setup.md b/doc/user/group/saml_sso/scim_setup.md index e29b33469ab..3c5c53cbdf6 100644 --- a/doc/user/group/saml_sso/scim_setup.md +++ b/doc/user/group/saml_sso/scim_setup.md @@ -1,7 +1,7 @@ --- stage: Govern group: Authentication -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Configure SCIM for GitLab.com groups **(PREMIUM SAAS)** @@ -19,6 +19,8 @@ When SCIM is enabled for a GitLab group, membership of that group is synchronize The [internal GitLab group SCIM API](../../../development/internal_api/index.md#group-scim-api) implements part of [the RFC7644 protocol](https://www.rfc-editor.org/rfc/rfc7644). Identity providers can use the [internal GitLab group SCIM API](../../../development/internal_api/index.md#group-scim-api) to develop a SCIM app. +To set up SCIM on GitLab self-managed, see [Configure SCIM for self-managed GitLab instances](../../../administration/settings/scim_setup.md). + ## Configure GitLab Prerequisites: diff --git a/doc/user/group/saml_sso/troubleshooting.md b/doc/user/group/saml_sso/troubleshooting.md index 527d710058a..a2576f37ac9 100644 --- a/doc/user/group/saml_sso/troubleshooting.md +++ b/doc/user/group/saml_sso/troubleshooting.md @@ -1,8 +1,7 @@ --- -type: reference stage: Govern group: Authentication -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Troubleshooting SAML **(FREE ALL)** @@ -222,7 +221,7 @@ to [reset their password](https://gitlab.com/users/password/new) if both: Users might get an error that states "SAML Name ID and email address do not match your user account. Contact an administrator." This means: -- The NameID value sent by SAML does not match the existing SAML identity `extern_uid` value. Both the NameID and the `extern_uid` are case sensitive. For more information, see [manage user SAML identity](index.md#manage-user-saml-identity). +- The NameID value sent by SAML does not match the existing SAML identity `extern_uid` value. Both the NameID and the `extern_uid` are case sensitive. For more information, see [manage user SAML identity](index.md#manage-user-saml-identity). - Either the SAML response did not include an email address or the email address did not match the user's GitLab email address. The workaround is that a GitLab group Owner uses the [SAML API](../../../api/saml.md) to update the user's SAML `extern_uid`. @@ -290,7 +289,7 @@ If a subset of users are receiving a `404` after signing in to the IdP, first ve Example request: ```plaintext - curl --request PATCH "https://gitlab.example.com/api/scim/v2/groups/test_group/Users/f0b1d561c-21ff-4092-beab-8154b17f82f2" --header "Authorization: Bearer <SCIM_TOKEN>" --data '{ "Operations": [{"op":"Replace","path":"active","value":"true"}] }' + curl --request PATCH "https://gitlab.example.com/api/scim/v2/groups/test_group/Users/f0b1d561c-21ff-4092-beab-8154b17f82f2" --header "Authorization: Bearer <SCIM_TOKEN>" --header "Content-Type: application/scim+json" --data '{ "Operations": [{"op":"Replace","path":"active","value":"true"}] }' ``` ### 500 error after login **(FREE SELF)** @@ -323,8 +322,7 @@ This message might indicate that you must add or remove a domain from your domai To implement this workaround: -1. On the left sidebar, select **Search or go to**. -1. Select **Admin Area**. +1. On the left sidebar, at the bottom, select **Admin Area**. 1. Select **Settings** > **General**. 1. Expand **Sign-up restrictions**. 1. Add or remove a domain as appropriate to **Allowed domains for sign-ups** and **Denied domains for sign-ups**. @@ -359,18 +357,21 @@ Additionally, see [troubleshooting users receiving a 404 after sign in](#users-r ## Message: The SAML response did not contain an email address. Either the SAML identity provider is not configured to send the attribute, or the identity provider directory does not have an email address value for your user -This error appears when the SAML response does not contain the user's email address in an **email** or **mail** attribute as shown in the following example: +This error appears when the SAML response does not contain the user's email address in an **email** or **mail** attribute. +Ensure the SAML identity provider is configured to send a [supported mail attribute](../../../integration/saml.md). + +Examples: ```xml <Attribute Name="email"> - <AttributeValue>user@domain.com‹/AttributeValue> + <AttributeValue>user@example.com‹/AttributeValue> </Attribute> ``` -Attribute names starting with phrases such as `http://schemas.microsoft.com/ws/2008/06/identity/claims/` like in the following example are not supported. Remove this type of attribute name from the SAML response on the IDP side. +Attribute names starting with phrases such as `http://schemas.xmlsoap.org/ws/2005/05/identity/claims` and `http://schemas.microsoft.com/ws/2008/06/identity/claims/` are supported by default beginning in GitLab 16.7. ```xml -<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/email"> - <AttributeValue>user@domain.com‹/AttributeValue> +<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/emailaddress"> + <AttributeValue>user@example.com‹/AttributeValue> </Attribute> ``` diff --git a/doc/user/group/saml_sso/troubleshooting_scim.md b/doc/user/group/saml_sso/troubleshooting_scim.md index b31c2eed9df..3dcb2d93096 100644 --- a/doc/user/group/saml_sso/troubleshooting_scim.md +++ b/doc/user/group/saml_sso/troubleshooting_scim.md @@ -1,7 +1,7 @@ --- stage: Govern group: Authentication -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Troubleshooting SCIM **(FREE ALL)** @@ -18,20 +18,17 @@ When the user is added back to the SCIM app, GitLab does not create a new user b From August 11, 2023, the `skip_saml_identity_destroy_during_scim_deprovision` feature flag is enabled. For a user de-provisioned by SCIM from that date, their SAML identity is not removed. - When that user is added back to the SCIM app: - Their SCIM identity `active` attribute is set to `true`. - They can sign in using SSO. For users de-provisioned by SCIM before that date, their SAML identity is destroyed. +To solve this problem, the user must [link SAML to their existing GitLab.com account](index.md#link-saml-to-your-existing-gitlabcom-account). -To solve this problem: - -1. Have the user sign in directly to GitLab. -1. [Manually link](scim_setup.md#link-scim-and-saml-identities) their account. +### Self-managed GitLab -Alternatively, self-managed administrators can [add a user identity](../../../administration/admin_area.md#user-identities). +For a self-managed GitLab instance, administrators of that instance can instead [add the user identity themselves](../../../administration/admin_area.md#user-identities). This might save time if administrators need to re-add multiple identities. ## User cannot sign in @@ -130,6 +127,47 @@ For example, use these values as a definitive source on why an account was provi details. This information can help where an account was SCIM provisioned with details that do not match the SCIM app configuration. +## Member's email address is not linked error in SCIM log + +When you attempt to provision a SCIM user on GitLab.com, GitLab checks to see if +a user with that email address already exists. You might see the following error +when the: + +- User exists, but does not have a SAML identity linked. +- User exists, has a SAML identity, **and** has a SCIM identity that is set to `active: false`. + +```plaintext +The member's email address is not linked to a SAML account or has an inactive +SCIM identity. +``` + +This error message is returned with the status `412`. + +This might prevent the affected end user from accessing their account correctly. + +The first workaround is: + +1. Have the end user [link SAML to their existing GitLab.com account](index.md#link-saml-to-your-existing-gitlabcom-account). +1. After the user has done this, initiate a SCIM sync from your identity provider. +If the SCIM sync completes without the same error, GitLab has +successfully linked the SCIM identity to the existing user account, and the user +should now be able to sign in using SAML SSO. + +If the error persists, the user most likely already exists, has both a SAML and +SCIM identity, and a SCIM identity that is set to `active: false`. To resolve +this: + +1. Optional. If you did not save your SCIM token when you first configured SCIM, [generate a new token](scim_setup.md#configure-gitlab). If you generate a new SCIM token, you **must** update the token in your identity provider's SCIM configuration, or SCIM will stop working. +1. Locate your SCIM token. +1. Use the API to [get a single SCIM provisioned user](/ee/development/internal_api/index.md#get-a-single-scim-provisioned-user). +1. Check the returned information to make sure that: + - The user's identifier (`id`) and email match what your identity provider is sending. + - `active` is set to `false`. + If any of this information does not match, [contact GitLab Support](https://support.gitlab.com/). +1. Use the API to [update the SCIM provisioned user's `active` value to `true`](/ee/development/internal_api/index.md#update-a-single-scim-provisioned-user). +1. If the update returns a status code `204`, have the user attempt to sign in +using SAML SSO. + ## Azure Active Directory The following troubleshooting information is specifically for SCIM provisioned through Azure Active Directory. diff --git a/doc/user/group/settings/group_access_tokens.md b/doc/user/group/settings/group_access_tokens.md index cd3efcc6562..5b3f962061e 100644 --- a/doc/user/group/settings/group_access_tokens.md +++ b/doc/user/group/settings/group_access_tokens.md @@ -1,8 +1,7 @@ --- stage: Govern group: Authentication -info: "To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments" -type: reference, howto +info: "To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments" --- # Group access tokens **(FREE)** @@ -59,6 +58,7 @@ To create a group access token: 1. On the left sidebar, select **Search or go to** and find your group. 1. Select **Settings > Access Tokens**. +1. Select **Add new token**. 1. Enter a name. The token name is visible to any user with permissions to view the group. 1. Enter an expiry date for the token: - The token expires on that date at midnight UTC. @@ -121,7 +121,7 @@ To revoke a group access token: 1. On the left sidebar, select **Search or go to** and find your group. 1. Select **Settings > Access Tokens**. -1. Next to the group access token to revoke, select **Revoke**. +1. Next to the group access token to revoke, select **Revoke** (**{remove}**). ## Revoke a group access token using Rails console @@ -143,17 +143,17 @@ token.revoke! The scope determines the actions you can perform when you authenticate with a group access token. -| Scope | Description | -|:-------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `api` | Grants complete read and write access to the scoped group and related project API, including the [Package Registry](../../packages/package_registry/index.md). | -| `read_api` | Grants read access to the scoped group and related project API, including the [Package Registry](../../packages/package_registry/index.md). | -| `read_registry` | Grants read access (pull) to the [Container Registry](../../packages/container_registry/index.md) images if any project within a group is private and authorization is required. | -| `write_registry` | Grants write access (push) to the [Container Registry](../../packages/container_registry/index.md). | -| `read_repository` | Grants read access (pull) to all repositories within a group. | -| `write_repository` | Grants read and write access (pull and push) to all repositories within a group. | -| `create_runner` | Grants permission to create runners in a group. | -| `ai_features` | Grants permission to perform API actions for GitLab Duo. | -| `k8s_proxy` | Grants permission to perform Kubernetes API calls using the agent for Kubernetes in a group. | +| Scope | Description | +|:-------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `api` | Grants complete read and write access to the scoped group and related project API, including the [container registry](../../packages/container_registry/index.md), the [dependency proxy](../../packages/dependency_proxy/index.md), and the [package registry](../../packages/package_registry/index.md). | +| `read_api` | Grants read access to the scoped group and related project API, including the [package registry](../../packages/package_registry/index.md). | +| `read_registry` | Grants read access (pull) to the [container registry](../../packages/container_registry/index.md) images if any project within a group is private and authorization is required. | +| `write_registry` | Grants write access (push) to the [container registry](../../packages/container_registry/index.md). | +| `read_repository` | Grants read access (pull) to all repositories within a group. | +| `write_repository` | Grants read and write access (pull and push) to all repositories within a group. | +| `create_runner` | Grants permission to create runners in a group. | +| `ai_features` | Grants permission to perform API actions for GitLab Duo. This scope is designed to work with the GitLab Duo Plugin for JetBrains. For all other extensions, see scope requirements. | +| `k8s_proxy` | Grants permission to perform Kubernetes API calls using the agent for Kubernetes in a group. | ## Enable or disable group access token creation @@ -163,6 +163,7 @@ To enable or disable group access token creation for all subgroups in a top-leve 1. Select **Settings > General**. 1. Expand **Permissions and group features**. 1. Under **Permissions**, turn on or off **Users can create project access tokens and group access tokens in this group**. +1. Select **Save changes**. Even when creation is disabled, you can still use and revoke existing group access tokens. diff --git a/doc/user/group/ssh_certificates.md b/doc/user/group/ssh_certificates.md new file mode 100644 index 00000000000..25c5f4b1be8 --- /dev/null +++ b/doc/user/group/ssh_certificates.md @@ -0,0 +1,83 @@ +--- +stage: Create +group: Source Code +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments +--- + +# Manage group's SSH certificates **(PREMIUM SAAS)** + +Manage Git access to the projects by sharing public Certified Authority (`CA`) files in your organization's top-level group. + +Git access control options on GitLab SaaS (SSH, HTTPS) rely on credentials (such as access tokens and SSH keys) +setup in the user profile and are out of control of the organization. +To temporarily grant Git access to your projects, you can use SSH certificates. + +## Add a CA certificate to a top-level group + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/421915) in GitLab 16.4 [with a flag](../feature_flags.md) named `ssh_certificates_rest_endpoints`. Disabled by default. + +FLAG: +On GitLab.com, this feature is not available. +Prerequisites: + +- You must have the Owner role for the group. +- The group must be a top-level group, not a subgroup. + +To add a CA certificate to a group: + +1. Generate an SSH key pair to be used as a Certified Authority file: + + ```plaintext + ssh-keygen -f CA + ``` + +1. Add the public key to the top-level group using [Group SSH certificates API](../../api/group_ssh_certificates.md#create-ssh-certificate) + to grant access to the projects of the group and its subgroups. + +## Issue CA certificates for users + +Prerequisites: + +- You must have the Owner role for the group. +- The user certificates can only be used to access the projects within the top-level group and its subgroups. +- A user's username or primary email (`user` or `user@example.com`) must be specified to associate a + GitLab user with the user certificate. +- The user must be an [Enterprise User](../enterprise_user/index.md). + +To issue user certificates, use the private key from the pair you [created earlier](#add-a-ca-certificate-to-a-top-level-group): + +```shell +ssh-keygen -s CA -I user@example.com -V +1d user-key.pub +``` + +The (`user-key.pub`) key is the public key from an SSH key pair that is used by a user for SSH authentication. +The SSH key pair is either generated by a user or provisioned by the group owner infrastructure along with the SSH certificate. + +The expiration date (`+1d`) identifies how long the SSH certificate can be used to access the group projects. + +The user certificates can only be used to access the projects within the top-level group. + +## Enforce SSH certificates + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/421915) in GitLab 16.7 [with a flag](../feature_flags.md) named `enforce_ssh_certificates_via_settings`. Disabled by default. + +FLAG: +On GitLab.com, this feature is not available. + +You can enforce usage of SSH certificates and forbid users from authenticating using SSH +keys and access tokens. + +When SSH certificates are enforced, only individual user accounts are affected. +It does not apply to service accounts, deploy keys, and other types of internal accounts. + +Prerequisites: + +- You must have the Owner role for the group. + +To enforce using SSH certificates: + +1. On the left sidebar, select **Search or go to** and find your group. +1. Select **Settings > General**. +1. Expand the **Permissions and group features** section. +1. Select the **Enforce SSH Certificates** checkbox. +1. Select **Save changes**. diff --git a/doc/user/group/subgroups/index.md b/doc/user/group/subgroups/index.md index e9064ff72a6..a63d4a98fa2 100644 --- a/doc/user/group/subgroups/index.md +++ b/doc/user/group/subgroups/index.md @@ -1,7 +1,7 @@ --- stage: Data Stores group: Tenant Scale -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Subgroups **(FREE ALL)** @@ -49,7 +49,7 @@ graph TD ## View subgroups of a group -Prerequisite: +Prerequisites: - To view private nested subgroups, you must be a direct or inherited member of the private subgroup. @@ -58,23 +58,25 @@ To view the subgroups of a group: 1. On the left sidebar, select **Search or go to** and find your group. 1. Select the **Subgroups and projects** tab. -1. To view a nested subgroup, expand a subgroup in the hierarchy list. +1. Select the subgroup you want to view. + To view nested subgroups, expand (**{chevron-down}**) a subgroup. ### Private subgroups in public parent groups -In the hierarchy list, public groups with a private subgroup have an expand option (**{chevron-down}**) -for all users that indicate there is a subgroup. When users who are not direct or inherited members of -the private subgroup select expand (**{chevron-down}**), the nested subgroup does not display. +In the hierarchy list, public groups with private subgroups have an expand option (**{chevron-down}**), +which indicates the group has nested subgroups. The expand option (**{chevron-down}**) is visible +to all users, but the private group is displayed only to users who are direct or inherited members +of the private subgroup. -If you prefer to keep information about the presence of nested subgroups private, we advise that you -add private subgroups only to private parent groups. +If you prefer to keep information about the presence of nested subgroups private, +you should add private subgroups only to private parent groups. ## Create a subgroup Prerequisites: - You must have either: - - At least the Maintainer role for a group to create subgroups for it. + - At least the Maintainer role for a group. - The [role determined by a setting](#change-who-can-create-subgroups). These users can create subgroups even if group creation is [disabled by an Administrator](../../../administration/admin_area.md#prevent-a-user-from-creating-top-level-groups) in the user's settings. @@ -84,15 +86,14 @@ You cannot host a GitLab Pages subgroup website with a top-level domain name. Fo To create a subgroup: -1. On the left sidebar, select **Search or go to** and find a parent group for the subgroup. +1. On the left sidebar, select **Search or go to** and find the group you want to create the subgroup in. 1. On the parent group's overview page, in the upper-right corner, select **New subgroup**. -1. Select **Create group**. 1. Fill in the fields. View a list of [reserved names](../../reserved_names.md) that cannot be used as group names. -1. Select **Create group**. +1. Select **Create subgroup**. ### Change who can create subgroups -Prerequisite: +Prerequisites: - You must have at least the Maintainer role on the group, depending on the group's setting. @@ -102,25 +103,21 @@ To change who can create subgroups on a group: 1. On the left sidebar, select **Search or go to** and find your group. 1. Select **Settings > General**. 1. Expand **Permissions and group features**. - 1. Select a role from **Roles allowed to create subgroups**. + 1. From **Roles allowed to create subgroups**, select an option. 1. Select **Save changes**. - As an administrator: - 1. On the left sidebar, select **Search or go to**. - 1. Select **Admin Area**. - 1. On the left sidebar, select **Overview > Groups**. - 1. In the group's row select **Edit**. - 1. Select a role from **Allowed to create subgroups**. + 1. On the left sidebar, at the bottom, select **Admin Area**. + 1. On the left sidebar, select **Overview > Groups** and find your group. + 1. In the group's row, select **Edit**. + 1. From the **Allowed to create subgroups** dropdown list, select an option. 1. Select **Save changes**. For more information, view the [permissions table](../../permissions.md#group-members-permissions). ## Subgroup membership -NOTE: -There is a bug that causes some pages in the parent group to be accessible by subgroup members. For more details, see [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/340421). - -When you add a member to a group, that member is also added to all subgroups. The user's permissions are inherited from -the group's parent. +When you add a member to a group, that member is also added to all subgroups of that group. +The member's permissions are inherited from the group's parent. Subgroup members can be: @@ -163,6 +160,7 @@ To see if a member has inherited the permissions from a parent group: 1. On the left sidebar, select **Search or go to** and find your group. 1. Select **Manage > Members**. + The member's inheritance is displayed in the **Source** column. Members list for an example subgroup _Four_: @@ -189,22 +187,23 @@ Members can be [filtered by inherited or direct membership](../index.md#filter-a ### Override ancestor group membership -Users with the Owner role on a subgroup can add members to it. +Users with the Owner role in a subgroup can add members to it. -You can't give a user a role on a subgroup that's lower than the roles they have on ancestor groups. To override a user's -role on an ancestor group, add the user to the subgroup again with a higher role. For example: +You can't give a user a role in a subgroup that is lower than the roles the user has in ancestor groups. +To override a user's role in an ancestor group, add the user to the subgroup again with a higher role. +For example: -- If User 1 is added to group _Two_ with the Developer role, they inherit that role in every subgroup of group _Two_. -- To give User 1 the Maintainer role on group _Four_ (under _One / Two / Three_), add them again to group _Four_ with +- If User 1 is added to group _Two_ with the Developer role, User 1 inherits that role in every subgroup of group _Two_. +- To give User 1 the Maintainer role in group _Four_ (under _One / Two / Three_), add User 1 again to group _Four_ with the Maintainer role. -- If User 1 is removed from group _Four_, their role falls back to their role on group _Two_. They have the Developer - role on group _Four_ again. +- If User 1 is removed from group _Four_, the user's role falls back to their role in group _Two_. User 1 has the Developer + role in group _Four_ again. ## Mention subgroups Mentioning subgroups ([`@<subgroup_name>`](../../discussions/index.md#mentions)) in issues, commits, and merge requests -notifies all direct members of that group. Inherited members of a subgroup are not notified by mentions. Mentioning works the same as for projects and groups, and you can choose the group -of people to be notified. +notifies all direct members of that group. Inherited members of a subgroup are not notified by mentions. +Mentioning works the same as for projects and groups, and you can choose the group of members to be notified. <!-- ## Troubleshooting diff --git a/doc/user/group/troubleshooting.md b/doc/user/group/troubleshooting.md index 08343f604f1..d7086e9271e 100644 --- a/doc/user/group/troubleshooting.md +++ b/doc/user/group/troubleshooting.md @@ -1,7 +1,7 @@ --- stage: Data Stores group: Tenant Scale -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Troubleshooting groups diff --git a/doc/user/group/value_stream_analytics/index.md b/doc/user/group/value_stream_analytics/index.md index 2ed01a0ec05..0fdd572ed7c 100644 --- a/doc/user/group/value_stream_analytics/index.md +++ b/doc/user/group/value_stream_analytics/index.md @@ -1,8 +1,7 @@ --- -type: reference stage: Plan group: Optimize -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Value stream analytics **(FREE ALL)** @@ -208,9 +207,10 @@ You can change the name of a project environment in your GitLab CI/CD configurat > - Filtering [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/13216) in GitLab 13.3 > - Horizontal stage path [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12196) in 13.0 and [feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/323982) in 13.12 > - Predefined date ranges dropdown list [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/408656/) in GitLab 16.5 [with a flag](../../../administration/feature_flags.md) named `vsa_predefined_date_ranges`. Disabled by default. +> - Predefined date ranges dropdown list [enabled on self-managed and GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/433149) in GitLab 16.7. FLAG: -On self-managed GitLab, by default the predefined date ranges dropdown list feature is not available. To make it available, an administrator can [enable the feature flag](../../../administration/feature_flags.md) named `vsa_predefined_date_ranges`. On GitLab.com, this feature is not available. The feature is not ready for production use. +On self-managed GitLab, by default the predefined date ranges dropdown list feature is available. To hide the feature per user, an administrator can [disable the feature flag](../../../administration/feature_flags.md) named `vsa_predefined_date_ranges`. On GitLab.com, this feature is available. Prerequisites: @@ -302,7 +302,7 @@ In GitLab 13.8 and earlier, deployment frequency metrics are calculated based on ## View lifecycle and DORA metrics -Prerequisite: +Prerequisites: - To view deployment metrics, you must have a [production environment configured](#how-value-stream-analytics-identifies-the-production-environment). |
