Control access and visibility

Tier: Free, Premium, Ultimate Offering: Self-managed

GitLab enables users with administrator access to enforce specific controls on branches, projects, snippets, groups, and more.

To access the visibility and access control options:

  1. Sign in to GitLab as a user with Administrator access level.
  2. On the left sidebar, at the bottom, select Admin Area.
  3. Select Settings > General.
  4. Expand the Visibility and access controls section.

Define which roles can create projects

Instance-level protections for project creation define which roles can add projects to a group on the instance. To alter which roles have permission to create projects:

  1. Sign in to GitLab as a user with Administrator access level.
  2. On the left sidebar, at the bottom, select Admin Area.
  3. Select Settings > General.
  4. Expand the Visibility and access controls section.
  5. For Default project creation protection, select the desired roles:
    • No one.
    • Maintainers.
    • Developers and Maintainers.
  6. Select Save changes.

Restrict project deletion to administrators

Tier: Premium, Ultimate Offering: Self-managed
History
  • User interface changed in GitLab 15.1.

By default both administrators and anyone with the Owner role can delete a project. To restrict project deletion to only administrators:

  1. Sign in to GitLab as a user with administrator access.
  2. On the left sidebar, at the bottom, select Admin Area.
  3. Select Settings > General.
  4. Expand the Visibility and access controls section.
  5. Scroll to:
    • (GitLab 15.1 and later) Allowed to delete projects, and select Administrators.
    • (GitLab 15.0 and earlier) Default project deletion protection and select Only admins can delete project.
  6. Select Save changes.

Deletion protection

Tier: Premium, Ultimate Offering: Self-managed
History

Instance-level protection against accidental deletion of groups and projects.

Retention period

History

Groups and projects remain restorable within a defined retention period. By default this is 7 days but it can be changed. Setting the retention period to 0 means that groups and project are removed immediately and cannot be restored.

In GitLab 15.1 and later, the retention period must be between 1 and 90. If the retention period was 0 before the 15.1 update, then it gets automatically changed to 1 while also disabling deletion protection the next time any application setting is changed.

Delayed project deletion

History

To configure delayed project deletion:

  1. Sign in to GitLab as a user with administrator access.
  2. On the left sidebar, at the bottom, select Admin Area.
  3. Select Settings > General.
  4. Expand the Visibility and access controls section.
  5. Scroll to:
    • In GitLab 16.0 and later: Deletion protection and set the retention period to a value between 1 and 90.
    • In GitLab 15.11 with always_perform_delayed_deletion feature flag enabled: Deletion protection and set the retention period to a value between 1 and 90.
    • In GitLab 15.1 to 15.10: Deletion protection and select Keep deleted groups and projects, then set the retention period.
    • In GitLab 15.0 and earlier: Default delayed project protection and select Enable delayed project deletion by default for newly-created groups, then set the retention period.
  6. Select Save changes.

Deletion protection is not available for projects only (without being also being enabled for groups).

In GitLab 15.1, and later this setting is enforced on groups when disabled and it cannot be overridden.

Delayed group deletion

History

Groups remain restorable if the retention period is 1 or more days.

In GitLab 15.1 and later, delayed group deletion can be enabled by setting Deletion projection to Keep deleted. In GitLab 15.11 and later with the always_perform_delayed_deletion feature flag enabled, or in GitLab 16.0 and later:

  • The Keep deleted option is removed.
  • Delayed group deletion is the default.

Override defaults and delete immediately

Alternatively, projects that are marked for removal can be deleted immediately. To do so:

  1. Restore the project.
  2. Delete the project as described in the Administering Projects page.

Configure project visibility defaults

To set the default visibility levels for new projects:

  1. Sign in to GitLab as a user with Administrator access level.
  2. On the left sidebar, at the bottom, select Admin Area.
  3. Select Settings > General.
  4. Expand the Visibility and access controls section.
  5. Select the desired default project visibility:
    • Private - Project access must be granted explicitly to each user. If this project is part of a group, access is granted to members of the group.
    • Internal - The project can be accessed by any authenticated user except external users.
    • Public - The project can be accessed without any authentication.
  6. Select Save changes.

For more details on project visibility, see Project visibility.

Configure snippet visibility defaults

To set the default visibility levels for new snippets:

  1. Sign in to GitLab as a user with Administrator access level.
  2. On the left sidebar, at the bottom, select Admin Area.
  3. Select Settings > General.
  4. Expand the Visibility and access controls section.
  5. Select the desired default snippet visibility.
  6. Select Save changes.

For more details on snippet visibility, read Snippet visibility.

Configure group visibility defaults

To set the default visibility levels for new groups:

  1. Sign in to GitLab as a user with Administrator access level.
  2. On the left sidebar, at the bottom, select Admin Area.
  3. Select Settings > General.
  4. Expand the Visibility and access controls section.
  5. Select the desired default group visibility:
    • Private - The group and its projects can only be viewed by members.
    • Internal - The group and any internal projects can be viewed by any authenticated user except external users.
    • Public - The group and any public projects can be viewed without any authentication.
  6. Select Save changes.

For more details on group visibility, see Group visibility.

Restrict visibility levels

History
  • Changed in GitLab 16.3 to prevent restricting default project and group visibility, with a flag named prevent_visibility_restriction. Disabled by default.
  • prevent_visibility_restriction enabled by default in GitLab 16.4.
  • The flag prevent_visibility_restriction was removed in GitLab 16.7.

When restricting visibility levels, consider how these restrictions interact with permissions for subgroups and projects that inherit their visibility from the item you’re changing.

To restrict visibility levels for groups, projects, snippets, and selected pages:

  1. Sign in to GitLab as a user with Administrator access level.
  2. On the left sidebar, at the bottom, select Admin Area.
  3. Select Settings > General.
  4. Expand the Visibility and access controls section.
  5. In the Restricted visibility levels section, select the desired visibility levels to restrict.
    • If you restrict the Public level:
      • Only administrators are able to create public groups, projects, and snippets.
      • User profiles are only visible to authenticated users through the Web interface.
      • User attributes through the GraphQL API are:
    • If you restrict the Internal level:
      • Only administrators are able to create internal groups, projects, and snippets.
    • If you restrict the Private level:
      • Only administrators are able to create private groups, projects, and snippets.
  6. Select Save changes.
note
You cannot select the restricted default visibility level for new projects and groups.

Configure enabled Git access protocols

With GitLab access restrictions, you can select the protocols users can use to communicate with GitLab. Disabling an access protocol does not block port access to the server itself. The ports used for the protocol, SSH or HTTP(S), are still accessible. The GitLab restrictions apply at the application level.

To specify the enabled Git access protocols:

  1. Sign in to GitLab as a user with Administrator access level.
  2. On the left sidebar, at the bottom, select Admin Area.
  3. Select Settings > General.
  4. Expand the Visibility and access controls section.
  5. Select the desired Git access protocols:
    • Both SSH and HTTP(S)
    • Only SSH
    • Only HTTP(S)
  6. Select Save changes.

When both SSH and HTTP(S) are enabled, users can choose either protocol. If only one protocol is enabled:

  • The project page shows only the allowed protocol’s URL, with no option to change it.
  • GitLab shows a tooltip when you hover over the protocol for the URL, if user action (such as adding a SSH key or setting a password) is required:

    Project URL with SSH only access

GitLab only allows Git actions for the protocols you select.

caution
GitLab 10.7 and later allows the HTTP(S) protocol for Git clone or fetch requests performed with GitLab CI/CD job tokens, even if you select Only SSH. This is required for GitLab Runner and CI/CD jobs.

Customize Git clone URL for HTTP(S)

History

You can customize project Git clone URLs for HTTP(S), which affects the clone panel:

For example, if:

  • Your GitLab instance is at https://example.com, then project clone URLs are like https://example.com/foo/bar.git.
  • You want clone URLs that look like https://git.example.com/gitlab/foo/bar.git instead, you can set this setting to https://git.example.com/gitlab/.

Custom Git clone URL for HTTP

To specify a custom Git clone URL for HTTP(S):

  1. Enter a root URL for Custom Git clone URL for HTTP(S).
  2. Select Save changes.
note
SSH clone URLs can be customized in gitlab.rb by setting gitlab_rails['gitlab_ssh_host'] and other related settings.

Configure defaults for RSA, DSA, ECDSA, ED25519, ECDSA_SK, ED25519_SK SSH keys

These options specify the permitted types and lengths for SSH keys.

To specify a restriction for each key type:

  1. Select the desired option from the dropdown list.
  2. Select Save changes.

For more details, see SSH key restrictions.

Enable project mirroring

This option is enabled by default. By disabling it, both pull mirroring and push mirroring no longer work in every repository. They can only be re-enabled by an administrator user on a per-project basis.

Mirror settings

Configure globally-allowed IP address ranges

History

Administrators can set IP address ranges to be combined with group-level IP restrictions. Use globally-allowed IP addresses to allow aspects of the GitLab installation to work even when group-level IP address restrictions are set.

For example, if the GitLab Pages daemon runs on the 10.0.0.0/24 range, you can specify that range as globally-allowed. This means GitLab Pages can still fetch artifacts from pipelines even if group-level IP address restrictions don’t include the 10.0.0.0/24 range.

To add a IP address range to the group-level allowlist:

  1. Sign in to GitLab as a user with Administrator access level.
  2. On the left sidebar, at the bottom, select Admin Area.
  3. Select Settings > General.
  4. Expand the Visibility and access controls section.
  5. In Globally-allowed IP ranges, provide a list of IP address ranges. This list:
    • Has no limit on the number of IP address ranges.
    • Has a size limit of 1 GB.
    • Applies to both SSH or HTTP authorized IP address ranges. You cannot split this list by type of authorization.
  6. Select Save changes.