Configure access for the Agent Platform

  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

You can turn GitLab Duo on or off for a group.

In addition, you can specify specific groups that can access Agent Platform features only.

Give a user access to Agent Platform features

To give a user access to specific Agent Platform features, complete the following steps.

Prerequisites:

  • You must be an administrator.

To give a user access to specific features:

  1. In the upper-right corner, select Admin.
  2. On the left sidebar, select GitLab Duo.
  3. Select Change configuration.
  4. Under Member Access, select Add group.
  5. Use the search box to select an existing group.
  6. Select the features that group members can access.
  7. Select Save changes.

The user now has access to these features anywhere in the instance that they have access and the features are turned on.

Prerequisites:

  • You must be an administrator of the top-level namespace.
  • An existing group or the ability to create a new group for DAP users.

To give a user access to specific features:

  1. In the top bar, select Search or go to and find your group.
  2. Select Settings > GitLab Duo.
  3. Select Change configuration.
  4. Under Member Access, select Add group.
  5. Use the search box to select an existing group.
  6. Select the features that group members can access.
  7. Select Save changes.

These settings apply to:

  • Users who have the top-level group as the default GitLab Duo namespace.
  • Users that don’t have access through their default namespace, but the current top-level group gives them ability to use the feature.

If you do not want to manually manage group membership, you can synchronize membership by using LDAP or SAML.

Multiple group membership

When a user is assigned to more than one group, they get the features from all assigned groups. For example:

  • In group A, they have access to classic features only.
  • In group B, they have access to flows only.

They will be able to access both classic features and flows.

When no group is configured

If no group is configured:

  • On GitLab.com: All members of the top-level namespace are eligible to use Duo Agent Platform features. Further controls (such as disabling features across the namespace) are still applied.
  • On GitLab Self-Managed: All users in the instance are eligible to use Agent Platform features.

In all scenarios, further controls such as disabling features across a namespace or instance still apply.

Synchronize group membership

If you use LDAP or SAML for authentication, you can synchronize group membership automatically:

  1. Configure your LDAP or SAML provider to include a group that represents DAP users.
  2. In GitLab, ensure the group is linked to your LDAP/SAML provider.
  3. Group membership updates automatically when users are added or removed from the provider group.

For more information, see:

Use cases

You can use groups to implement phased rollouts or for testing purposes.

Phased rollout

To implement a phased rollout of the Agent Platform:

  1. Create a group for pilot users (for example, pilot-users).
  2. Add a subset of users to this group.
  3. Gradually add more users to the group as you validate functionality and train users.
  4. When ready for full rollout, add all users to the group.

Testing and validation

To test Agent Platform capabilities in a controlled environment:

  1. Create a dedicated group for testing (for example, agent-testers).
  2. Create a test namespace or project.
  3. Add test users to the agent-testers group.
  4. Validate functionality and train users before broader rollout.