diff options
author | Roger Meier <r.meier@siemens.com> | 2019-06-03 06:15:53 +0200 |
---|---|---|
committer | Roger Meier <r.meier@siemens.com> | 2019-06-13 08:43:14 +0200 |
commit | 35d928c4a9fe7c8545f2ad1866a45ff28c1ef5d3 (patch) | |
tree | 1fbc5564681bb15335d6fc19a9231c377170ab10 /doc | |
parent | ff22dfbf7a4f539b676101b51e5ad892d56da920 (diff) | |
download | gitlab-ce-35d928c4a9fe7c8545f2ad1866a45ff28c1ef5d3.tar.gz |
refactor: apply "require 2FA" to all subgroup and ancestor group members, when changing
Diffstat (limited to 'doc')
-rw-r--r-- | doc/security/two_factor_authentication.md | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/doc/security/two_factor_authentication.md b/doc/security/two_factor_authentication.md index ad5daef805a..49dadd5abc2 100644 --- a/doc/security/two_factor_authentication.md +++ b/doc/security/two_factor_authentication.md @@ -39,8 +39,26 @@ If you want to enforce 2FA only for certain groups, you can: To change this setting, you need to be administrator or owner of the group. -If there are multiple 2FA requirements (i.e. group + all users, or multiple -groups) the shortest grace period will be used. +> [From](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/24965) GitLab 12.0, 2FA settings for a group are also applied to subgroups. + +If you want to enforce 2FA only for certain groups, you can enable it in the +group settings and specify a grace period as above. To change this setting you +need to be administrator or owner of the group. + +The following are important notes about 2FA: + +- Projects belonging to a 2FA-enabled group that + [is shared](../user/project/members/share_project_with_groups.md) + with a 2FA-disabled group will *not* require members of the 2FA-disabled group to use + 2FA for the project. For example, if project *P* belongs to 2FA-enabled group *A* and + is shared with 2FA-disabled group *B*, members of group *B* can access project *P* + without 2FA. To ensure this scenario doesn't occur, + [prevent sharing of projects](../user/group/index.md#share-with-group-lock) + for the 2FA-enabled group. +- If you add additional members to a project within a group or subgroup that has + 2FA enabled, 2FA is **not** required for those individually added members. +- If there are multiple 2FA requirements (for example, group + all users, or multiple + groups) the shortest grace period will be used. ## Disabling 2FA for everyone |