summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRussell Dickenson <rdickenson@gitlab.com>2019-09-10 10:56:27 +1000
committerRussell Dickenson <rdickenson@gitlab.com>2019-09-10 15:14:02 +1000
commit91de810cb8a986cd508336b48e4fb9fa4d814f8d (patch)
tree13e2727d75b652c3bccf3105b8a8d6ce6c1fb266
parent2f58f73348088e88ce15982bce764f8e3f6efc6d (diff)
downloadgitlab-ce-docs/visibility-and-access-controls.tar.gz
Updated Visibility and access controls docsdocs/visibility-and-access-controls
Updated docs of the Admin Area's 'Visibility and access controls' docs to match the options available in the UI. - Deleted 3 unnecesssary images. - Added links to and from relevant topics. - Added several sections. - Removed index in introduction as it was unnecessary. - Changed reference style links into inline links.
-rw-r--r--doc/public_access/img/restrict_visibility_levels.pngbin18825 -> 0 bytes
-rw-r--r--doc/public_access/public_access.md15
-rw-r--r--doc/user/admin_area/settings/img/access_restrictions.pngbin3794 -> 0 bytes
-rw-r--r--doc/user/admin_area/settings/img/import_sources.pngbin5891 -> 0 bytes
-rw-r--r--doc/user/admin_area/settings/visibility_and_access_controls.md137
-rw-r--r--doc/user/group/index.md16
-rw-r--r--doc/user/project/protected_branches.md2
7 files changed, 123 insertions, 47 deletions
diff --git a/doc/public_access/img/restrict_visibility_levels.png b/doc/public_access/img/restrict_visibility_levels.png
deleted file mode 100644
index e9315cfb701..00000000000
--- a/doc/public_access/img/restrict_visibility_levels.png
+++ /dev/null
Binary files differ
diff --git a/doc/public_access/public_access.md b/doc/public_access/public_access.md
index dc6ee9b2503..380956c77b9 100644
--- a/doc/public_access/public_access.md
+++ b/doc/public_access/public_access.md
@@ -4,7 +4,7 @@ type: reference
# Public access
-GitLab allows [Owners](../user/permissions.md) to set a projects' visibility as **public**, **internal**
+GitLab allows [Owners](../user/permissions.md) to set a project's visibility as **public**, **internal**
or **private**. These visibility levels affect who can see the project in the
public access directory (`/public` under your GitLab instance), like at <https://gitlab.com/public>
@@ -12,7 +12,7 @@ public access directory (`/public` under your GitLab instance), like at <https:/
### Public projects
-Public projects can be cloned **without any** authentication over https.
+Public projects can be cloned **without any** authentication over HTTPS.
They will be listed in the public access directory (`/public`) for all users.
@@ -71,15 +71,12 @@ If the public level is restricted, user profiles are only visible to logged in u
## Restricting the use of public or internal projects
-In the Admin area under **Settings** (`/admin/application_settings`), you can
-restrict the use of visibility levels for users when they create a project or a
-snippet:
-
-![Restrict visibility levels](img/restrict_visibility_levels.png)
-
-This is useful to prevent people exposing their repositories to public
+You can restrict the use of visibility levels for users when they create a project or a
+snippet. This is useful to prevent people exposing their repositories to public
by accident. The restricted visibility settings do not apply to admin users.
+For details, see [Restricted visibility levels](../user/admin_area/settings/visibility_and_access_controls.md#restricted-visibility-levels).
+
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
diff --git a/doc/user/admin_area/settings/img/access_restrictions.png b/doc/user/admin_area/settings/img/access_restrictions.png
deleted file mode 100644
index 8c5336c7835..00000000000
--- a/doc/user/admin_area/settings/img/access_restrictions.png
+++ /dev/null
Binary files differ
diff --git a/doc/user/admin_area/settings/img/import_sources.png b/doc/user/admin_area/settings/img/import_sources.png
deleted file mode 100644
index 20829a27dd7..00000000000
--- a/doc/user/admin_area/settings/img/import_sources.png
+++ /dev/null
Binary files differ
diff --git a/doc/user/admin_area/settings/visibility_and_access_controls.md b/doc/user/admin_area/settings/visibility_and_access_controls.md
index 1e2f5705728..f7173f746ff 100644
--- a/doc/user/admin_area/settings/visibility_and_access_controls.md
+++ b/doc/user/admin_area/settings/visibility_and_access_controls.md
@@ -4,15 +4,7 @@ type: reference
# Visibility and access controls **(CORE ONLY)**
-GitLab allows administrators to:
-
-- Control access and visibility to GitLab resources including branches and projects.
-- Select from which hosting sites code can be imported into GitLab.
-- Select the protocols permitted to access GitLab.
-- Enable or disable repository mirroring.
-- Prevent non-administrators from deleting projects
- ([introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/5615) in GitLab 12.0).
- **(PREMIUM ONLY)**
+GitLab allows administrators to enforce specific controls.
To access the visibility and access control options:
@@ -20,29 +12,110 @@ To access the visibility and access control options:
1. Go to **Admin Area > Settings > General**.
1. Expand the **Visibility and access controls** section.
+## Default branch protection
+
+Branch protection specifies which roles can push to branches, and delete branches.
+
+To change the default branch protection:
+
+1. Select the desired option.
+1. Click **Save changes**.
+
+For more details, see [Protected branches](../../project/protected_branches.md).
+
+## Default project creation protection
+
+Project creation protection specifies which roles can create projects.
+
+To change the default project creation protection:
+
+1. Select the desired option.
+1. Click **Save changes**.
+
+For more details, see [Default project-creation level](../../group/index.md#default-project-creation-level).
+
+## Default project deletion protection
+
+By default, a project can be deleted by anyone with the **Owner** role, either at the project or
+group level.
+
+To ensure only admin users can delete projects:
+
+1. Check the **Default project deletion protection** checkbox.
+1. Click **Save changes**.
+
+## Default project visibility
+
+To set the default visibility levels for new projects:
+
+1. Select the desired default project visibility.
+1. Click **Save changes**.
+
+For more details on project visibility, see [Public access](../../../public_access/public_access.md).
+
+## Default snippet visibility
+
+To set the default visibility levels for new snippets:
+
+1. Select the desired default snippet visibility.
+1. Click **Save changes**.
+
+For more details on snippet visibility, see [Public access](../../../public_access/public_access.md).
+
+## Default group visibility
+
+To set the default visibility levels for new groups:
+
+1. Select the desired default group visibility.
+1. Click **Save changes**.
+
+For more details on group visibility, see [Public access](../../../public_access/public_access.md).
+
+## Restricted visibility levels
+
+To set the available visibility levels for new projects and snippets:
+
+1. Check the desired visibility levels.
+1. Click **Save changes**.
+
+For more details on project visibility, see [Public access](../../../public_access/public_access.md).
+
## Import sources
-Choose from which hosting sites users can
-[import their projects](../../project/import/index.md).
+To specify from which hosting sites users can [import their projects](../../project/import/index.md):
+
+1. Check the checkbox beside the name of each hosting site.
+1. Click **Save changes**.
-![import sources](img/import_sources.png)
+## Project export
+
+To enable project export:
+
+1. Check the **Project export enabled** checkbox.
+1. Click **Save changes**.
+
+For more details, see [Exporting a project and its data](../../../user/project/settings/import_export.md#exporting-a-project-and-its-data).
## Enabled Git access protocols
-> [Introduced][ce-4696] in GitLab 8.10.
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/4696) in GitLab 8.10.
With GitLab's access restrictions, you can select with which protocols users can communicate with
GitLab.
-From the **Enabled Git access protocols** dropdown, select one of the following:
+Disabling an access protocol does not block access to the server itself via those ports. The ports
+used for the protocol, SSH or HTTP, will still be accessible. The GitLab restrictions apply at the
+application level.
-- Both SSH and HTTP(S)
-- Only SSH
-- Only HTTP(s)
+To specify the enabled Git access protocols:
-![Settings Overview](img/access_restrictions.png)
+1. Select the desired Git access protocols from the dropdown:
+ - Both SSH and HTTP(S)
+ - Only SSH
+ - Only HTTP(s)
+1. Click **Save changes**.
-When both SSH and HTTP(S) are enabled, your users can choose either protocol.
+When both SSH and HTTP(S) are enabled, users can choose either protocol.
When only one protocol is enabled:
@@ -57,18 +130,24 @@ On top of these UI restrictions, GitLab will deny all Git actions on the protoco
not selected.
CAUTION: **Important:**
-Starting with [GitLab 10.7][ce-18021], HTTP(s) protocol will be allowed for
-git clone/fetch requests done by GitLab Runner from CI/CD Jobs, even if
-_Only SSH_ was selected.
+Starting with [GitLab 10.7](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18021),
+HTTP(s) protocol will be allowed for Git clone/fetch requests done by GitLab Runner from CI/CD
+Jobs, even if _Only SSH_ was selected.
-> **Note:** Please keep in mind that disabling an access protocol does not actually
-block access to the server itself. The ports used for the protocol, be it SSH or
-HTTP, will still be accessible. What GitLab does is restrict access on the
-application level.
+## RSA, DSA, ECDSA, ED25519 SSH keys
+
+These options specify the permitted types and lengths for SSH keys.
+
+To specify a restriction for each key type:
+
+1. Select the desired option from the dropdown.
+1. Click **Save changes**.
+
+For more details, see [SSH key restrictions](../../../security/ssh_keys_restrictions.md).
## Allow mirrors to be set up for projects
-> [Introduced][ee-3586] in GitLab 10.3.
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/3586) in GitLab 10.3.
This option is enabled by default. By disabling it, both pull and push mirroring will no longer
work in every repository and can only be re-enabled by an admin on a per-project basis.
@@ -86,7 +165,3 @@ questions that you know someone might ask.
Each scenario can be a third-level heading, e.g. `### Getting error message X`.
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->
-
-[ce-4696]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/4696
-[ce-18021]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18021
-[ee-3586]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/3586
diff --git a/doc/user/group/index.md b/doc/user/group/index.md
index c09acd36e31..6e8643ec28f 100644
--- a/doc/user/group/index.md
+++ b/doc/user/group/index.md
@@ -182,14 +182,18 @@ There are two different ways to add a new project to a group:
> Brought to [GitLab Starter][ee] in 10.7.
> [Moved](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/25975) to [GitLab Core](https://about.gitlab.com/pricing/) in 11.10.
-Group owners and administrators can allow users with the
-Developer role to create projects under groups.
+Group owners and administrators can allow users with the Developer role to create projects under
+groups. By default, [Developers and Maintainers](../permissions.md#group-members-permissions) can create projects under a group.
-By default, [Developers and Maintainers](../permissions.md#group-members-permissions) can create projects under a group. You can change this setting for a specific group within the group settings, or
-you can set this option globally in the Admin area
-at **Settings > General > Visibility and access controls** (you must be a GitLab administrator).
+To change this setting for a specific group:
-Available settings are `No one`, `Maintainers`, or `Developers + Maintainers`.
+1. Go to the group's page.
+1. Go to **Settings > General**.
+1. Expand the **Permissions, LFS, 2FA** section.
+1. Select the desired option in the **Allowed to create projects** dropdown list.
+1. Click **Save changes**.
+
+To change this setting globally, see [Default project creation protection](../admin_area/settings/visibility_and_access_controls.md#default-project-creation-protection).
## Transfer projects into groups
diff --git a/doc/user/project/protected_branches.md b/doc/user/project/protected_branches.md
index be9ad620c73..2383e909f5d 100644
--- a/doc/user/project/protected_branches.md
+++ b/doc/user/project/protected_branches.md
@@ -24,7 +24,7 @@ A GitLab admin is allowed to push to the protected branches.
See the [Changelog](#changelog) section for changes over time.
-The default branch protection level can be set in the [Admin Area](../admin_area/settings/visibility_and_access_controls.md#default-branch-protection).
+The default branch protection level is set in the [Admin Area](../admin_area/settings/visibility_and_access_controls.md#default-branch-protection).
## Configuring protected branches