diff options
Diffstat (limited to 'doc/user/group')
24 files changed, 152 insertions, 53 deletions
diff --git a/doc/user/group/clusters/index.md b/doc/user/group/clusters/index.md index 89e0c4898fb..e61b24f84f6 100644 --- a/doc/user/group/clusters/index.md +++ b/doc/user/group/clusters/index.md @@ -84,7 +84,7 @@ your cluster, which can cause deployment jobs to fail. To clear the cache: -1. Navigate to your group’s **{cloud-gear}** **Kubernetes** page, +1. Navigate to your group’s **Kubernetes** page, and select your cluster. 1. Expand the **Advanced settings** section. 1. Click **Clear cluster cache**. diff --git a/doc/user/group/custom_project_templates.md b/doc/user/group/custom_project_templates.md index ebeacda24c6..fd8d966fbe1 100644 --- a/doc/user/group/custom_project_templates.md +++ b/doc/user/group/custom_project_templates.md @@ -9,8 +9,49 @@ info: To determine the technical writer assigned to the Stage/Group associated w > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/6861) in [GitLab Premium](https://about.gitlab.com/pricing/) 11.6. -When you create a new [project](../project/index.md), creating it based on custom project templates is -a convenient option. +Custom project templates are useful for organizations that need to create many similar types of [projects](../project/index.md) and want to start from the same jumping-off point. + +## Setting up Group-level Project Templates + +To use a custom project template for a new project you need to: + +1. [Create a 'templates' subgroup](subgroups/index.md). +1. [Add repositories (projects) to the that new subgroup](index.md#add-projects-to-a-group), as your templates. +1. Edit your group's settings to look to your 'templates' subgroup for templates: + 1. In the left-hand menu, click **{settings}** **Settings > General**. + + NOTE: **Note:** + If you don't have access to the group's settings, you may not have sufficient privileges (for example, you may need developer or higher permissions). + + 1. Scroll to **Custom project templates** and click **Expand**. If no **Custom project templates** section displays, make sure you've created a subgroup, and added a project (repository) to it. + 1. Select the 'templates' subgroup. + +### Example structure + +Here is a sample group/project structure for a hypothetical "Acme Co" for project templates: + +```txt +# GitLab instance and group +gitlab.com/acmeco/ + # Subgroups + internal + tools + # Subgroup for handling project templates + websites + templates + # Project templates + client-site-django + client-site-gatsby + client-site-hTML + + # Other projects + client-site-a + client-site-b + client-site-c + ... +``` + +### Adjust Settings Users can configure a GitLab group that serves as template source under a group's **Settings > General > Custom project templates**. diff --git a/doc/user/group/epics/img/epic_activity_sort_order_v13_2.png b/doc/user/group/epics/img/epic_activity_sort_order_v13_2.png Binary files differindex c7e1448fea9..ce85efe3e67 100644 --- a/doc/user/group/epics/img/epic_activity_sort_order_v13_2.png +++ b/doc/user/group/epics/img/epic_activity_sort_order_v13_2.png diff --git a/doc/user/group/epics/img/issue_list_v13_1.png b/doc/user/group/epics/img/issue_list_v13_1.png Binary files differindex f08f774e986..ed0b4842bfe 100644 --- a/doc/user/group/epics/img/issue_list_v13_1.png +++ b/doc/user/group/epics/img/issue_list_v13_1.png diff --git a/doc/user/group/epics/img/new_epic_form_v13.2.png b/doc/user/group/epics/img/new_epic_form_v13.2.png Binary files differindex 3d24763d105..ac1450ae111 100644 --- a/doc/user/group/epics/img/new_epic_form_v13.2.png +++ b/doc/user/group/epics/img/new_epic_form_v13.2.png diff --git a/doc/user/group/epics/img/new_epic_from_groups_v13.2.png b/doc/user/group/epics/img/new_epic_from_groups_v13.2.png Binary files differindex 85bc4255595..bb75605af60 100644 --- a/doc/user/group/epics/img/new_epic_from_groups_v13.2.png +++ b/doc/user/group/epics/img/new_epic_from_groups_v13.2.png diff --git a/doc/user/group/epics/index.md b/doc/user/group/epics/index.md index a2b04e2d7fe..04b57d13828 100644 --- a/doc/user/group/epics/index.md +++ b/doc/user/group/epics/index.md @@ -20,6 +20,10 @@ An epic's page contains the following tabs: shown in a tree view. - Click the chevron (**>**) next to a parent epic to reveal the child epics and issues. - Hover over the total counts to see a breakdown of open and closed items. + + NOTE: **Note:** + The number provided here includes all epics associated with this project. The number includes epics for which users may not currently have permission. + - **Roadmap**: a roadmap view of child epics which have start and due dates. ![epic view](img/epic_view_v13.0.png) @@ -65,7 +69,8 @@ to add an issue to an epic, reorder issues, move issues between epics, or promot ## Issue health status in Epic tree **(ULTIMATE)** -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/199184) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.10. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/199184) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.10. +> - The health status of a closed issue [will be hidden](https://gitlab.com/gitlab-org/gitlab/-/issues/220867) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.3 or later. You can report on and quickly respond to the health of individual issues and epics by setting a red, amber, or green [health status on an issue](../../project/issues/index.md#health-status-ultimate), @@ -175,7 +180,7 @@ Once you write your comment, you can either: ### Activity sort order -> [Introduced](https://https://gitlab.com/gitlab-org/gitlab/-/issues/214364) in [GitLab Premium](https://about.gitlab.com/pricing/) 13.2. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214364) in [GitLab Premium](https://about.gitlab.com/pricing/) 13.2. You can reverse the default order and interact with the activity feed sorted by most recent items at the top. Your preference is saved via local storage and automatically applied to every issue diff --git a/doc/user/group/epics/manage_epics.md b/doc/user/group/epics/manage_epics.md index 4f9bb0e24fb..aaa5d3a3034 100644 --- a/doc/user/group/epics/manage_epics.md +++ b/doc/user/group/epics/manage_epics.md @@ -151,9 +151,18 @@ The sort option and order is saved and used wherever you browse epics, including > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213068) in [GitLab Premium](https://about.gitlab.com/pricing/) 13.0 behind a feature flag, disabled by default. > - [Became enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/224513) in [GitLab Premium](https://about.gitlab.com/pricing/) 13.2. +> - You can [use the Confidentiality option in the epic sidebar](https://gitlab.com/gitlab-org/gitlab/-/issues/197340) in GitLab [Premium](https://about.gitlab.com/pricing/) 13.3 and later. -When you're creating an epic, you can make it confidential by selecting the **Make this epic -confidential** checkbox. +If you're working on items that contain private information, you can make an epic confidential. + +NOTE: **Note:** +A confidential epic can only contain confidential issues and confidential child epics. + +To make an epic confidential: + +- **When creating an epic:** select the checkbox **Make this epic confidential**. +- **In an existing epic:** in the epic's sidebar, select **Edit** next to **Confidentiality** then + select **Turn on**. ### Disable confidential epics **(PREMIUM ONLY)** @@ -271,6 +280,16 @@ The following issue metadata will be copied to the epic: - Upvotes/downvotes. - Participants. - Group labels that the issue already has. +- Parent epic. **(ULTIMATE)** + +### Use an epic template for repeating issues + +You can create a spreadsheet template to manage a pattern of consistently repeating issues. + +<i class="fa fa-youtube-play youtube" aria-hidden="true"></i> +For an introduction to epic templates, see [GitLab Epics and Epic Template Tip](https://www.youtube.com/watch?v=D74xKFNw8vg). + +For more on epic templates, see [Epic Templates - Repeatable sets of issues](https://about.gitlab.com/handbook/marketing/product-marketing/getting-started/104/). ## Manage multi-level child epics **(ULTIMATE)** diff --git a/doc/user/group/img/add_new_members.png b/doc/user/group/img/add_new_members.png Binary files differindex 6d43e309e84..8bd9e2374bc 100644 --- a/doc/user/group/img/add_new_members.png +++ b/doc/user/group/img/add_new_members.png diff --git a/doc/user/group/img/ldap_sync_cn_v13_1.png b/doc/user/group/img/ldap_sync_cn_v13_1.png Binary files differindex 1b0a20b7e64..279b3192328 100644 --- a/doc/user/group/img/ldap_sync_cn_v13_1.png +++ b/doc/user/group/img/ldap_sync_cn_v13_1.png diff --git a/doc/user/group/img/ldap_sync_filter_v13_1.png b/doc/user/group/img/ldap_sync_filter_v13_1.png Binary files differindex 3fc1f28becd..655bed58d46 100644 --- a/doc/user/group/img/ldap_sync_filter_v13_1.png +++ b/doc/user/group/img/ldap_sync_filter_v13_1.png diff --git a/doc/user/group/img/manual_permissions_v13_1.png b/doc/user/group/img/manual_permissions_v13_1.png Binary files differindex 504e6ab3a42..0ada9a4839c 100644 --- a/doc/user/group/img/manual_permissions_v13_1.png +++ b/doc/user/group/img/manual_permissions_v13_1.png diff --git a/doc/user/group/index.md b/doc/user/group/index.md index 5ba0680127c..22ad311ab4f 100644 --- a/doc/user/group/index.md +++ b/doc/user/group/index.md @@ -219,7 +219,7 @@ By default, every group inherits the branch protection set at the global level. To change this setting for a specific group: -1. Go to the group's **{settings}** **Settings > General** page. +1. Go to the group's **Settings > General** page. 1. Expand the **Permissions, LFS, 2FA** section. 1. Select the desired option in the **Default branch protection** dropdown list. 1. Click **Save changes**. @@ -278,7 +278,7 @@ The group details view also shows the number of the following items created in t - Issues. - Members. -These Group Activity Analytics can be enabled with the `group_activity_analytics` [feature flag](../../development/feature_flags/development.md#enabling-a-feature-flag-in-development). +These Group Activity Analytics can be enabled with the `group_activity_analytics` [feature flag](../../development/feature_flags/development.md#enabling-a-feature-flag-locally-in-development). ![Recent Group Activity](img/group_activity_analytics_v12_10.png) @@ -334,7 +334,7 @@ To share a given group, for example, 'Frontend' with another group, for example, All the members of the 'Engineering' group will have been added to 'Frontend'. -## Manage group memberships via LDAP +## Manage group memberships via LDAP **(STARTER ONLY)** Group syncing allows LDAP groups to be mapped to GitLab groups. This provides more control over per-group user management. To configure group syncing edit the `group_base` **DN** (`'OU=Global Groups,OU=GitLab INT,DC=GitLab,DC=org'`). This **OU** contains all groups that will be associated with GitLab groups. @@ -426,6 +426,7 @@ When transferring groups, note: - You must update your local repositories to point to the new location. - If the immediate parent group's visibility is lower than the group's current visibility, visibility levels for subgroups and projects will change to match the new parent group's visibility. - Only explicit group membership is transferred, not inherited membership. If the group's owners have only inherited membership, this leaves the group without an owner. In this case, the user transferring the group becomes the group's owner. +- Transfers will fail if [packages](../packages/index.md) exist in any of the projects within the group, or in any of its subgroups. ## Group settings @@ -442,7 +443,7 @@ access further configurations for your group. #### Changing a group's path -Changing a group's path can have unintended side effects. Read +Changing a group's path (group URL) can have unintended side effects. Read [how redirects will behave](../project/index.md#redirects-when-changing-repository-paths) before proceeding. @@ -450,12 +451,12 @@ If you are vacating the path so it can be claimed by another group or user, you may need to rename the group too, since both names and paths must be unique. -To change your group path: +To change your group path (group URL): 1. Navigate to your group's **Settings > General** page. 1. Expand the **Path, transfer, remove** section. -1. Enter a new name under **Change group path**. -1. Click **Change group path**. +1. Enter a new name under **Change group URL**. +1. Click **Change group URL**. CAUTION: **Caution:** It is currently not possible to rename a namespace if it contains a @@ -471,7 +472,7 @@ username, you can create a new group and transfer projects to it. To remove a group and its contents: -1. Navigate to your group's **{settings}** **Settings > General** page. +1. Navigate to your group's **Settings > General** page. 1. Expand the **Path, transfer, remove** section. 1. In the Remove group section, click the **Remove group** button. 1. Confirm the action when asked to. @@ -479,7 +480,7 @@ To remove a group and its contents: This action either: - Removes the group, and also queues a background job to delete all projects in that group. -- Since [GitLab 12.8](https://gitlab.com/gitlab-org/gitlab/-/issues/33257), on [Premium or Silver](https://about.gitlab.com/pricing/premium/) or higher tiers, marks a group for deletion. The deletion will happen 7 days later by default, but this can be changed in the [instance settings](../admin_area/settings/visibility_and_access_controls.md#default-deletion-adjourned-period-premium-only). +- Since [GitLab 12.8](https://gitlab.com/gitlab-org/gitlab/-/issues/33257), on [Premium or Silver](https://about.gitlab.com/pricing/premium/) or higher tiers, marks a group for deletion. The deletion will happen 7 days later by default, but this can be changed in the [instance settings](../admin_area/settings/visibility_and_access_controls.md#default-deletion-delay-premium-only). ### Restore a group **(PREMIUM)** @@ -487,7 +488,7 @@ This action either: To restore a group that is marked for deletion: -1. Navigate to your group's **{settings}** **Settings > General** page. +1. Navigate to your group's **Settings > General** page. 1. Expand the **Path, transfer, remove** section. 1. In the Restore group section, click the **Restore group** button. @@ -659,7 +660,7 @@ Optionally, on [Premium or Silver](https://about.gitlab.com/pricing/) or higher you can configure the projects within a group to be deleted after a delayed interval. During this interval period, the projects will be in a read-only state and can be restored, if required. -The interval period defaults to 7 days, and can be modified by an admin in the [instance settings](../admin_area/settings/visibility_and_access_controls.md#default-deletion-adjourned-period-premium-only). +The interval period defaults to 7 days, and can be modified by an admin in the [instance settings](../admin_area/settings/visibility_and_access_controls.md#default-deletion-delay-premium-only). To enable delayed deletion of projects: @@ -667,6 +668,23 @@ To enable delayed deletion of projects: 1. Expand the **Permissions, LFS, 2FA** section, and check **Enable delayed project removal**. 1. Click **Save changes**. +#### Prevent project forking outside group **(PREMIUM)** + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/216987) in GitLab 13.3. + +By default, projects within a group can be forked. +Optionally, on [Premium or Silver](https://about.gitlab.com/pricing/) or higher tiers, +you can prevent the projects within a group from being forked outside of the current top-level group. + +Previously this setting was available only for groups enforcing group managed account. This setting will be +removed from SAML setting page and migrated to group setting, but in the interim period of changes both of those settings will be taken into consideration, if even one is set to `true` then it will be assumed group does not allow forking projects outside. + +To enable prevent project forking: + +1. Navigate to the top-level group's **Settings > General** page. +1. Expand the **Permissions, LFS, 2FA** section, and check **Prevent project forking outside current group**. +1. Click **Save changes**. + ### Advanced settings - **Projects**: View all projects within that group, add members to each project, @@ -725,9 +743,9 @@ With [GitLab Contribution Analytics](contribution_analytics/index.md), you have an overview of the contributions (pushes, merge requests, and issues) performed by your group members. -## Issues analytics **(PREMIUM)** +## Issue analytics **(PREMIUM)** -With [GitLab Issues Analytics](issues_analytics/index.md), you can see a bar chart of the number of issues created each month in your groups. +With [GitLab Issue Analytics](issues_analytics/index.md), you can see a bar chart of the number of issues created each month in your groups. ## Dependency Proxy **(PREMIUM)** diff --git a/doc/user/group/issues_analytics/img/issues_table_v13_1.png b/doc/user/group/issues_analytics/img/issues_table_v13_1.png Binary files differindex 0f94f1ba2c5..3e8a729a884 100644 --- a/doc/user/group/issues_analytics/img/issues_table_v13_1.png +++ b/doc/user/group/issues_analytics/img/issues_table_v13_1.png diff --git a/doc/user/group/issues_analytics/index.md b/doc/user/group/issues_analytics/index.md index 01cee3d09b8..69512f90fca 100644 --- a/doc/user/group/issues_analytics/index.md +++ b/doc/user/group/issues_analytics/index.md @@ -5,16 +5,16 @@ group: Analytics info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers --- -# Issues Analytics **(PREMIUM)** +# Issue Analytics **(PREMIUM)** > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/7478) in [GitLab Premium](https://about.gitlab.com/pricing/) 11.5. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/196561) in [GitLab Premium](https://about.gitlab.com/pricing/) 12.9 at the project level. -Issues Analytics is a bar graph which illustrates the number of issues created each month. +Issue Analytics is a bar graph which illustrates the number of issues created each month. The default timespan is 13 months, which includes the current month, and the 12 months prior. -To access the chart, navigate to your group or project sidebar and select **{chart}** **Analytics > Issues Analytics**. +To access the chart, navigate to your group or project sidebar and select **{chart}** **Analytics > Issue Analytics**. Hover over each bar to see the total number of issues. diff --git a/doc/user/group/saml_sso/group_managed_accounts.md b/doc/user/group/saml_sso/group_managed_accounts.md index e317573d89d..126970ebbb6 100644 --- a/doc/user/group/saml_sso/group_managed_accounts.md +++ b/doc/user/group/saml_sso/group_managed_accounts.md @@ -7,13 +7,16 @@ info: To determine the technical writer assigned to the Stage/Group associated w # Group Managed Accounts **(PREMIUM)** -CAUTION: **Warning:** -This is a [Closed Beta](https://about.gitlab.com/handbook/product/#closed-beta) feature. +CAUTION: **Caution:** +This [Closed Beta](https://about.gitlab.com/handbook/product/#closed-beta) feature is being re-evaluated in favor of a different +[identity model](https://gitlab.com/gitlab-org/gitlab/-/issues/218631) that does not require separate accounts. +We recommend that group administrators who haven't yet implemented this feature wait for +the new solution. > - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/709) in GitLab 12.1. > - It's deployed behind a feature flag, disabled by default. -When [SSO for Groups](index.md) is being enforced, groups can enable an additional level of protection by enforcing the creation of dedicated user accounts to access the group. +When [SSO for Groups](index.md) is enforced, groups can enable an additional level of protection by enforcing the creation of dedicated user accounts to access the group. With group-managed accounts enabled, users are required to create a new, dedicated user linked to the group. The notification email address associated with the user is locked to the email address received from the configured identity provider. @@ -21,8 +24,8 @@ Without group-managed accounts, users can link their SAML identity with any exis When this option is enabled: -- All users in the group will be required to log in via the SSO URL associated with the group. -- After the group-managed account has been created, group activity will require the use of this user account. +- All users in the group are required to log in via the SSO URL associated with the group. +- After the group-managed account has been created, group activity requires the use of this user account. - Users can't share a project in the group outside the top-level group (also applies to forked projects). Upon successful authentication, GitLab prompts the user with options, based on the email address received from the configured identity provider: @@ -30,10 +33,10 @@ Upon successful authentication, GitLab prompts the user with options, based on t - To create a unique account with the newly received email address. - If the received email address matches one of the user's verified GitLab email addresses, the option to convert the existing account to a group-managed account. ([Introduced in GitLab 12.9](https://gitlab.com/gitlab-org/gitlab/-/issues/13481).) -Since use of the group-managed account requires the use of SSO, users of group-managed accounts will lose access to these accounts when they are no longer able to authenticate with the connected identity provider. In the case of an offboarded employee who has been removed from your identity provider: +Since use of the group-managed account requires the use of SSO, users of group-managed accounts lose access to these accounts when they are no longer able to authenticate with the connected identity provider. In the case of an offboarded employee who has been removed from your identity provider: -- The user will be unable to access the group (their credentials will no longer work on the identity provider when prompted to SSO). -- Contributions in the group (e.g. issues, merge requests) will remain intact. +- The user is unable to access the group (their credentials no longer work on the identity provider when prompted to use SSO). +- Contributions in the group (for example, issues and merge requests) remains intact. ## Assertions @@ -49,7 +52,7 @@ assertions to be able to create a user. ## Feature flag **(PREMIUM ONLY)** -Currently the group-managed accounts feature is behind a feature flag: `group_managed_accounts`. The flag is disabled by default. +The group-managed accounts feature is behind a feature flag: `group_managed_accounts`. The flag is disabled by default. To activate the feature, ask a GitLab administrator with Rails console access to run: ```ruby @@ -101,16 +104,16 @@ Since personal access tokens are the only token needed for programmatic access t ### Setting a limit -Only a GitLab administrator or an owner of a Group-managed account can set a limit. Leaving it empty means that the [instance level restrictions](../../admin_area/settings/account_and_limit_settings.md#limiting-lifetime-of-personal-access-tokens-ultimate-only) on the lifetime of personal access tokens will apply. +Only a GitLab administrator or an owner of a group-managed account can set a limit. When this field is left empty, the [instance-level restriction](../../admin_area/settings/account_and_limit_settings.md#limiting-lifetime-of-personal-access-tokens-ultimate-only) on the lifetime of personal access tokens apply. To set a limit on how long personal access tokens are valid for users in a group managed account: -1. Navigate to the **{settings}** **Settings > General** page in your group's sidebar. +1. Navigate to the **Settings > General** page in your group's sidebar. 1. Expand the **Permissions, LFS, 2FA** section. 1. Fill in the **Maximum allowable lifetime for personal access tokens (days)** field. 1. Click **Save changes**. -Once a lifetime for personal access tokens is set, GitLab will: +Once a lifetime for personal access tokens is set: -- Apply the lifetime for new personal access tokens, and require users managed by the group to set an expiration date that is no later than the allowed lifetime. +- GitLab applies the lifetime for new personal access tokens and requires users managed by the group to set an expiration date that's no later than the allowed lifetime. - After three hours, revoke old tokens with no expiration date or with a lifetime longer than the allowed lifetime. Three hours is given to allow administrators/group owner to change the allowed lifetime, or remove it, before revocation takes place. diff --git a/doc/user/group/saml_sso/img/group_saml_settings.png b/doc/user/group/saml_sso/img/group_saml_settings.png Binary files differdeleted file mode 100644 index 487be4faeba..00000000000 --- a/doc/user/group/saml_sso/img/group_saml_settings.png +++ /dev/null diff --git a/doc/user/group/saml_sso/img/group_saml_settings_v13_3.png b/doc/user/group/saml_sso/img/group_saml_settings_v13_3.png Binary files differnew file mode 100644 index 00000000000..f6450c7c1ba --- /dev/null +++ b/doc/user/group/saml_sso/img/group_saml_settings_v13_3.png diff --git a/doc/user/group/saml_sso/img/scim_token.png b/doc/user/group/saml_sso/img/scim_token.png Binary files differdeleted file mode 100644 index bf9347716e9..00000000000 --- a/doc/user/group/saml_sso/img/scim_token.png +++ /dev/null diff --git a/doc/user/group/saml_sso/img/scim_token_v13_3.png b/doc/user/group/saml_sso/img/scim_token_v13_3.png Binary files differnew file mode 100644 index 00000000000..e98f755718a --- /dev/null +++ b/doc/user/group/saml_sso/img/scim_token_v13_3.png diff --git a/doc/user/group/saml_sso/index.md b/doc/user/group/saml_sso/index.md index afd676cf897..f0d0fbff158 100644 --- a/doc/user/group/saml_sso/index.md +++ b/doc/user/group/saml_sso/index.md @@ -18,6 +18,8 @@ If you follow our guidance to automate user provisioning using [SCIM](scim_setup User synchronization of SAML SSO groups is supported through [SCIM](scim_setup.md). SCIM supports adding and removing users from the GitLab group. For example, if you remove a user from the SCIM app, SCIM removes that same user from the GitLab group. +SAML SSO is not supported at the subgroup level, + ## Configuring your Identity Provider 1. Navigate to the group and click **Settings > SAML SSO**. @@ -63,10 +65,11 @@ Once you've set up your identity provider to work with GitLab, you'll need to co 1. Navigate to the group's **Settings > SAML SSO**. 1. Find the SSO URL from your Identity Provider and enter it the **Identity provider single sign-on URL** field. 1. Find and enter the fingerprint for the SAML token signing certificate in the **Certificate** field. +1. Select the access level to be applied to newly added users in the **Default membership role** field. The default access level is 'Guest'. 1. Click the **Enable SAML authentication for this group** toggle switch. 1. Click the **Save changes** button. -![Group SAML Settings for GitLab.com](img/group_saml_settings.png) +![Group SAML Settings for GitLab.com](img/group_saml_settings_v13_3.png) NOTE: **Note:** Please note that the certificate [fingerprint algorithm](#additional-providers-and-setup-options) must be in SHA1. When configuring the identity provider, use a secure signature algorithm. @@ -79,6 +82,7 @@ Please note that the certificate [fingerprint algorithm](#additional-providers-a With this option enabled, users must go through your group's GitLab single sign-on URL. They may also be added via SCIM, if configured. Users cannot be added manually, and may only access project/group resources via the UI by signing in through the SSO URL. However, users will not be prompted to sign in through SSO on each visit. GitLab will check whether a user has authenticated through SSO, and will only prompt the user to sign in via SSO if the session has expired. +You can see more information about how long a session is valid in our [user profile documentation](../../profile/#why-do-i-keep-getting-signed-out). We intend to add a similar SSO requirement for [Git and API activity](https://gitlab.com/gitlab-org/gitlab/-/issues/9152). @@ -94,7 +98,7 @@ GitLab is unable to provide support for IdPs that are not listed here. | Provider | Documentation | |----------|---------------| | ADFS (Active Directory Federation Services) | [Create a Relying Party Trust](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-relying-party-trust) | -| Azure | [Configuring single sign-on to applications](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications) | +| Azure | [Configuring single sign-on to applications](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/view-applications-portal) | | Okta | [Setting up a SAML application in Okta](https://developer.okta.com/docs/guides/build-sso-integration/saml2/overview/) | | OneLogin | [Use the OneLogin SAML Test Connector](https://onelogin.service-now.com/support?id=kb_article&sys_id=93f95543db109700d5505eea4b96198f) | @@ -160,7 +164,7 @@ For more information, see our [discussion on providers](#providers). Your identity provider may have relevant documentation. It may be generic SAML documentation, or specifically targeted for GitLab. Examples: -- [Auth0](https://auth0.com/docs/protocols/saml/saml-idp-generic) +- [Auth0](https://auth0.com/docs/protocols/saml-configuration-options/configure-auth0-as-saml-identity-provider) - [G Suite](https://support.google.com/a/answer/6087519?hl=en) - [JumpCloud](https://support.jumpcloud.com/support/s/article/single-sign-on-sso-with-gitlab-2019-08-21-10-36-47) - [PingOne by Ping Identity](https://docs.pingidentity.com/bundle/pingone/page/xsh1564020480660-1.html) @@ -216,7 +220,9 @@ On subsequent visits, you should be able to go [sign in to GitLab.com with SAML] ### Role -The first time you sign in, GitLab adds you to the top-level parent group with the Guest role. Existing members with appropriate privileges can promote that new user. +Starting from [GitLab 13.3](https://gitlab.com/gitlab-org/gitlab/-/issues/214523), group owners can set a 'Default membership role' other than 'Guest'. To do so, [configure the SAML SSO for the group](#configuring-gitlab). That role becomes the starting access level of all users added to the group. + +Existing members with appropriate privileges can promote or demote users, as needed. If a user is already a member of the group, linking the SAML identity does not change their role. @@ -268,7 +274,7 @@ Group SAML on a self-managed instance is limited when compared to the recommende [instance-wide SAML](../../../integration/saml.md). The recommended solution allows you to take advantage of: - [LDAP compatibility](../../../administration/auth/ldap/index.md). -- [LDAP Group Sync](../index.md#manage-group-memberships-via-ldap). +- [LDAP Group Sync](../index.md#manage-group-memberships-via-ldap-starter-only). - [Required groups](../../../integration/saml.md#required-groups-starter-only). - [Admin groups](../../../integration/saml.md#admin-groups-starter-only). - [Auditor groups](../../../integration/saml.md#auditor-groups-starter-only). @@ -297,6 +303,10 @@ Group SAML on a self-managed instance is limited when compared to the recommende - { name: 'group_saml' } ``` +## Passwords for users created via SAML SSO for Groups + +The [Generated passwords for users created through integrated authentication](../../../security/passwords_for_integrated_authentication_methods.md) guide provides an overview of how GitLab generates and sets passwords for users created via SAML SSO for Groups. + ## Troubleshooting This section contains possible solutions for problems you might encounter. diff --git a/doc/user/group/saml_sso/scim_setup.md b/doc/user/group/saml_sso/scim_setup.md index 13e9d623e2c..9a2bd2e8806 100644 --- a/doc/user/group/saml_sso/scim_setup.md +++ b/doc/user/group/saml_sso/scim_setup.md @@ -40,7 +40,7 @@ Once [Group Single Sign-On](index.md) has been configured, we can: 1. Click on the **Generate a SCIM token** button. 1. Save the token and URL so they can be used in the next step. -![SCIM token configuration](img/scim_token.png) +![SCIM token configuration](img/scim_token_v13_3.png) ## Identity Provider configuration @@ -49,7 +49,7 @@ Once [Group Single Sign-On](index.md) has been configured, we can: ### Azure configuration steps -The SAML application that was created during [Single sign-on](index.md) setup for [Azure](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications) now needs to be set up for SCIM. +The SAML application that was created during [Single sign-on](index.md) setup for [Azure](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/view-applications-portal) now needs to be set up for SCIM. 1. Check the configuration for your GitLab SAML app and ensure that **Name identifier value** (NameID) points to `user.objectid` or another unique identifier. This will match the `extern_uid` used on GitLab. @@ -217,6 +217,10 @@ As a workaround, try an alternate mapping: #### How do I diagnose why a user is unable to sign in +Ensure that the user has been added to the SCIM app. + +If you receive "User is not linked to a SAML account", then most likely the user already exists in GitLab. Have the user follow the [User access and linking setup](#user-access-and-linking-setup) instructions. + The **Identity** (`extern_uid`) value stored by GitLab is updated by SCIM whenever `id` or `externalId` changes. Users won't be able to sign in unless the GitLab Identity (`extern_uid`) value matches the `NameId` sent by SAML. This value is also used by SCIM to match users on the `id`, and is updated by SCIM whenever the `id` or `externalId` values change. diff --git a/doc/user/group/settings/import_export.md b/doc/user/group/settings/import_export.md index cca918d44f3..ae83c8da462 100644 --- a/doc/user/group/settings/import_export.md +++ b/doc/user/group/settings/import_export.md @@ -21,7 +21,7 @@ See also: To enable GitLab import/export: -1. Navigate to **{admin}** **Admin Area >** **{settings}** **Settings > Visibility and access controls**. +1. Navigate to **Admin Area > Settings > Visibility and access controls**. 1. Scroll to **Import sources** 1. Enable desired **Import sources** @@ -33,13 +33,13 @@ Note the following: - To preserve group-level relationships from imported projects, run the Group Import/Export first, to allow projects to be imported into the desired group structure. - Imported groups are given a `private` visibility level, unless imported into a parent group. -- If imported into a parent group, subgroups will inherit the same level of visibility unless otherwise restricted. +- If imported into a parent group, a subgroup inherits the same level of visibility unless otherwise restricted. - To preserve the member list and their respective permissions on imported groups, review the users in these groups. Make sure these users exist before importing the desired groups. ### Exported Contents -The following items will be exported: +The following items are exported: - Milestones - Labels @@ -49,7 +49,7 @@ The following items will be exported: - Epics - Events -The following items will NOT be exported: +The following items are **not** exported: - Projects - Runners token @@ -63,7 +63,7 @@ For more details on the specific data persisted in a group export, see the 1. Navigate to your group's homepage. -1. Click **{settings}** **Settings** in the sidebar. +1. Click **Settings** in the sidebar. 1. In the **Advanced** section, click the **Export Group** button. @@ -83,7 +83,7 @@ As an administrator, you can modify the maximum import file size. To do so, use You can export groups from the [Community Edition to the Enterprise Edition](https://about.gitlab.com/install/ce-or-ee/) and vice versa. -If you're exporting a group from the Enterprise Edition to the Community Edition, you may lose data that is retained only in the Enterprise Edition. For more information, see [downgrading from EE to CE](../../../README.md). +The Enterprise Edition retains some group data that isn't part of the Community Edition. If you're exporting a group from the Enterprise Edition to the Community Edition, you may lose this data. For more information, see [downgrading from EE to CE](../../../README.md). ## Importing the group @@ -104,7 +104,7 @@ on an existing group's page. 1. Select the file that you exported in the [exporting a group](#exporting-a-group) section. -1. Click **Import group** to begin importing. Your newly imported group page will appear shortly. +1. Click **Import group** to begin importing. Your newly imported group page appears after the operation completes. ## Version history diff --git a/doc/user/group/subgroups/index.md b/doc/user/group/subgroups/index.md index a370c9cf136..235855b6e3a 100644 --- a/doc/user/group/subgroups/index.md +++ b/doc/user/group/subgroups/index.md @@ -7,13 +7,12 @@ type: reference, howto, concepts > [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/2772) in GitLab 9.0. GitLab supports up to 20 levels of subgroups, also known as nested groups or hierarchical groups. -levels of groups. By using subgroups you can do the following: - **Separate internal / external organizations.** Since every group - can have its own visibility level, you are able to host groups for different - purposes under the same umbrella. + can have its own visibility level ([public, internal, or private](../../../development/permissions.md#general-permissions)), + you're able to host groups for different purposes under the same umbrella. - **Organize large projects.** For large projects, subgroups makes it potentially easier to separate permissions on parts of the source code. - **Make it easier to manage people and control visibility.** Give people |