gitlab-org--gitlab-foss/doc/raketasks/user_management.md

---
stage: Enablement
group: Distribution
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---

# User management **(FREE SELF)**

GitLab provides Rake tasks for user management.

## Add user as a developer to all projects

To add a user as a developer to all projects, run:

```shell
# omnibus-gitlab
sudo gitlab-rake gitlab:import:user_to_projects[username@domain.tld]

# installation from source
bundle exec rake gitlab:import:user_to_projects[username@domain.tld] RAILS_ENV=production
```

## Add all users to all projects

To add all users to all projects, run:

```shell
# omnibus-gitlab
sudo gitlab-rake gitlab:import:all_users_to_all_projects

# installation from source
bundle exec rake gitlab:import:all_users_to_all_projects RAILS_ENV=production
```

Admin users are added as maintainers.

## Add user as a developer to all groups

To add a user as a developer to all groups, run:

```shell
# omnibus-gitlab
sudo gitlab-rake gitlab:import:user_to_groups[username@domain.tld]

# installation from source
bundle exec rake gitlab:import:user_to_groups[username@domain.tld] RAILS_ENV=production
```

## Add all users to all groups

To add all users to all groups, run:

```shell
# omnibus-gitlab
sudo gitlab-rake gitlab:import:all_users_to_all_groups

# installation from source
bundle exec rake gitlab:import:all_users_to_all_groups RAILS_ENV=production
```

Administrators are added as owners so they can add additional users to the group.

## Update all users in a given group to `project_limit:0` and `can_create_group: false`

To update all users in given group to `project_limit: 0` and `can_create_group: false`, run:

```shell
# omnibus-gitlab
sudo gitlab-rake gitlab:user_management:disable_project_and_group_creation\[:group_id\]

# installation from source
bundle exec rake gitlab:user_management:disable_project_and_group_creation\[:group_id\] RAILS_ENV=production
```

It updates all users in the given group, its subgroups and projects in this group namespace, with the noted limits.

## Control the number of billable users

Enable this setting to keep new users blocked until they have been cleared by the administrator.
Defaults to `false`:

```plaintext
block_auto_created_users: false
```

## Disable two-factor authentication for all users

This task disables two-factor authentication (2FA) for all users that have it enabled. This can be
useful if the GitLab `config/secrets.yml` file has been lost and users are unable
to log in, for example.

To disable two-factor authentication for all users, run:

```shell
# omnibus-gitlab
sudo gitlab-rake gitlab:two_factor:disable_for_all_users

# installation from source
bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production
```

## Rotate two-factor authentication encryption key

GitLab stores the secret data required for two-factor authentication (2FA) in an encrypted
database column. The encryption key for this data is known as `otp_key_base`, and is
stored in `config/secrets.yml`.

If that file is leaked, but the individual 2FA secrets have not, it's possible
to re-encrypt those secrets with a new encryption key. This allows you to change
the leaked key without forcing all users to change their 2FA details.

To rotate the two-factor authentication encryption key:

1. Look up the old key. This is in the `config/secrets.yml` file, but **make sure you're working
   with the production section**. The line you're interested in looks like this:

   ```yaml
   production:
     otp_key_base: fffffffffffffffffffffffffffffffffffffffffffffff
   ```

1. Generate a new secret:

   ```shell
   # omnibus-gitlab
   sudo gitlab-rake secret

   # installation from source
   bundle exec rake secret RAILS_ENV=production
   ```

1. Stop the GitLab server, back up the existing secrets file, and update the database:

   ```shell
   # omnibus-gitlab
   sudo gitlab-ctl stop
   sudo cp config/secrets.yml config/secrets.yml.bak
   sudo gitlab-rake gitlab:two_factor:rotate_key:apply filename=backup.csv old_key=<old key> new_key=<new key>

   # installation from source
   sudo /etc/init.d/gitlab stop
   cp config/secrets.yml config/secrets.yml.bak
   bundle exec rake gitlab:two_factor:rotate_key:apply filename=backup.csv old_key=<old key> new_key=<new key> RAILS_ENV=production
   ```

   The `<old key>` value can be read from `config/secrets.yml` (`<new key>` was
   generated earlier). The **encrypted** values for the user 2FA secrets are
   written to the specified `filename`. You can use this to rollback in case of
   error.

1. Change `config/secrets.yml` to set `otp_key_base` to `<new key>` and restart. Again, make sure
   you're operating in the **production** section.

   ```shell
   # omnibus-gitlab
   sudo gitlab-ctl start

   # installation from source
   sudo /etc/init.d/gitlab start
   ```

If there are any problems (perhaps using the wrong value for `old_key`), you can
restore your backup of `config/secrets.yml` and rollback the changes:

```shell
# omnibus-gitlab
sudo gitlab-ctl stop
sudo gitlab-rake gitlab:two_factor:rotate_key:rollback filename=backup.csv
sudo cp config/secrets.yml.bak config/secrets.yml
sudo gitlab-ctl start

# installation from source
sudo /etc/init.d/gitlab start
bundle exec rake gitlab:two_factor:rotate_key:rollback filename=backup.csv RAILS_ENV=production
cp config/secrets.yml.bak config/secrets.yml
sudo /etc/init.d/gitlab start

```
Add latest changes from gitlab-org/gitlab@master 2020-10-30 17:08:52 -04:00			`---`
Add latest changes from gitlab-org/gitlab@master 2021-01-19 13:11:04 -05:00			`stage: Enablement`
			`group: Distribution`
Add latest changes from gitlab-org/gitlab@master 2020-11-26 01:09:20 -05:00			`info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments`
Add latest changes from gitlab-org/gitlab@master 2020-10-30 17:08:52 -04:00			`---`

Add latest changes from gitlab-org/gitlab@master 2021-01-28 01:08:59 -05:00			`# User management (FREE SELF)`
Add titles to doc pages. 2014-05-27 08:12:15 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			`GitLab provides Rake tasks for user management.`

Update docs to markdown style guide. 2014-04-24 18:48:22 -04:00			`## Add user as a developer to all projects`
add help page for gitlab specific rake tasks 2012-12-02 07:56:04 -05:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			`To add a user as a developer to all projects, run:`

Add latest changes from gitlab-org/gitlab@master 2020-01-30 10:09:15 -05:00			```shell
Spell out rake tasks for omnibus-gitlab 2014-06-23 04:38:22 -04:00			`# omnibus-gitlab`
			`sudo gitlab-rake gitlab:import:user_to_projects[username@domain.tld]`

Drop comments on cookbook installing from source now that it uses Omnibus. 2015-01-28 01:50:31 -05:00			`# installation from source`
move env to end of lines 2014-08-18 17:07:32 -04:00			`bundle exec rake gitlab:import:user_to_projects[username@domain.tld] RAILS_ENV=production`
add help page for gitlab specific rake tasks 2012-12-02 07:56:04 -05:00			```

Update docs to markdown style guide. 2014-04-24 18:48:22 -04:00			`## Add all users to all projects`
add help page for gitlab specific rake tasks 2012-12-02 07:56:04 -05:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			`To add all users to all projects, run:`
add help page for gitlab specific rake tasks 2012-12-02 07:56:04 -05:00
Add latest changes from gitlab-org/gitlab@master 2020-01-30 10:09:15 -05:00			```shell
Spell out rake tasks for omnibus-gitlab 2014-06-23 04:38:22 -04:00			`# omnibus-gitlab`
			`sudo gitlab-rake gitlab:import:all_users_to_all_projects`

Drop comments on cookbook installing from source now that it uses Omnibus. 2015-01-28 01:50:31 -05:00			`# installation from source`
move env to end of lines 2014-08-18 17:07:32 -04:00			`bundle exec rake gitlab:import:all_users_to_all_projects RAILS_ENV=production`
add help page for gitlab specific rake tasks 2012-12-02 07:56:04 -05:00			```
add rake gitlab:import: all_users_to_all_groups and user_to_groups I opted for admins to be added as "owners" instead of "masters" because project masters can managers members, but only group owners can manage members. 2013-11-02 18:12:29 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			`Admin users are added as maintainers.`

Update docs to markdown style guide. 2014-04-24 18:48:22 -04:00			`## Add user as a developer to all groups`
add rake gitlab:import: all_users_to_all_groups and user_to_groups I opted for admins to be added as "owners" instead of "masters" because project masters can managers members, but only group owners can manage members. 2013-11-02 18:12:29 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			`To add a user as a developer to all groups, run:`

Add latest changes from gitlab-org/gitlab@master 2020-01-30 10:09:15 -05:00			```shell
Spell out rake tasks for omnibus-gitlab 2014-06-23 04:38:22 -04:00			`# omnibus-gitlab`
			`sudo gitlab-rake gitlab:import:user_to_groups[username@domain.tld]`

Drop comments on cookbook installing from source now that it uses Omnibus. 2015-01-28 01:50:31 -05:00			`# installation from source`
move env to end of lines 2014-08-18 17:07:32 -04:00			`bundle exec rake gitlab:import:user_to_groups[username@domain.tld] RAILS_ENV=production`
add rake gitlab:import: all_users_to_all_groups and user_to_groups I opted for admins to be added as "owners" instead of "masters" because project masters can managers members, but only group owners can manage members. 2013-11-02 18:12:29 -04:00			```

Update docs to markdown style guide. 2014-04-24 18:48:22 -04:00			`## Add all users to all groups`
add rake gitlab:import: all_users_to_all_groups and user_to_groups I opted for admins to be added as "owners" instead of "masters" because project masters can managers members, but only group owners can manage members. 2013-11-02 18:12:29 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			`To add all users to all groups, run:`
add rake gitlab:import: all_users_to_all_groups and user_to_groups I opted for admins to be added as "owners" instead of "masters" because project masters can managers members, but only group owners can manage members. 2013-11-02 18:12:29 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-01-30 10:09:15 -05:00			```shell
Spell out rake tasks for omnibus-gitlab 2014-06-23 04:38:22 -04:00			`# omnibus-gitlab`
			`sudo gitlab-rake gitlab:import:all_users_to_all_groups`

Drop comments on cookbook installing from source now that it uses Omnibus. 2015-01-28 01:50:31 -05:00			`# installation from source`
move env to end of lines 2014-08-18 17:07:32 -04:00			`bundle exec rake gitlab:import:all_users_to_all_groups RAILS_ENV=production`
add rake gitlab:import: all_users_to_all_groups and user_to_groups I opted for admins to be added as "owners" instead of "masters" because project masters can managers members, but only group owners can manage members. 2013-11-02 18:12:29 -04:00			```
Added " How to maintain tight control over the number of active users on your GitLab installation" to documentation 2015-04-23 22:19:21 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-11-23 13:09:14 -05:00			`Administrators are added as owners so they can add additional users to the group.`
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-11-26 19:09:42 -05:00			## Update all users in a given group to `project_limit:0` and `can_create_group: false`

			To update all users in given group to `project_limit: 0` and `can_create_group: false`, run:

			```shell
			`# omnibus-gitlab`
			`sudo gitlab-rake gitlab:user_management:disable_project_and_group_creation\[:group_id\]`

			`# installation from source`
			`bundle exec rake gitlab:user_management:disable_project_and_group_creation\[:group_id\] RAILS_ENV=production`
			```

			`It updates all users in the given group, its subgroups and projects in this group namespace, with the noted limits.`

Add latest changes from gitlab-org/gitlab@master 2020-11-23 13:09:14 -05:00			`## Control the number of billable users`
Added " How to maintain tight control over the number of active users on your GitLab installation" to documentation 2015-04-23 22:19:21 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			`Enable this setting to keep new users blocked until they have been cleared by the administrator.`
			Defaults to `false`:
Added " How to maintain tight control over the number of active users on your GitLab installation" to documentation 2015-04-23 22:19:21 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-03-25 02:07:58 -04:00			```plaintext
update doc by removing unnecessary parts 2015-05-04 05:13:07 -04:00			`block_auto_created_users: false`
			```
Add docs for gitlab:two_factor:disable_for_all_users task 2015-10-07 15:46:54 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			`## Disable two-factor authentication for all users`
Add docs for gitlab:two_factor:disable_for_all_users task 2015-10-07 15:46:54 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			`This task disables two-factor authentication (2FA) for all users that have it enabled. This can be`
Add latest changes from gitlab-org/gitlab@master 2020-12-16 19:09:53 -05:00			useful if the GitLab `config/secrets.yml` file has been lost and users are unable
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			`to log in, for example.`

			`To disable two-factor authentication for all users, run:`
Add docs for gitlab:two_factor:disable_for_all_users task 2015-10-07 15:46:54 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-01-30 10:09:15 -05:00			```shell
Add docs for gitlab:two_factor:disable_for_all_users task 2015-10-07 15:46:54 -04:00			`# omnibus-gitlab`
			`sudo gitlab-rake gitlab:two_factor:disable_for_all_users`

			`# installation from source`
			`bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production`
			```
Add a new gitlab:users:clear_all_authentication_tokens task Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-10-07 12:35:36 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			`## Rotate two-factor authentication encryption key`
Add a Rake task to aid in rotating otp_key_base 2017-06-02 12:28:54 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			`GitLab stores the secret data required for two-factor authentication (2FA) in an encrypted`
			database column. The encryption key for this data is known as `otp_key_base`, and is
Add a Rake task to aid in rotating otp_key_base 2017-06-02 12:28:54 -04:00			stored in `config/secrets.yml`.

			`If that file is leaked, but the individual 2FA secrets have not, it's possible`
			`to re-encrypt those secrets with a new encryption key. This allows you to change`
			`the leaked key without forcing all users to change their 2FA details.`

Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			`To rotate the two-factor authentication encryption key:`
Add a Rake task to aid in rotating otp_key_base 2017-06-02 12:28:54 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			1. Look up the old key. This is in the `config/secrets.yml` file, but **make sure you're working
Add latest changes from gitlab-org/gitlab@master 2020-11-19 22:09:15 -05:00			`with the production section**. The line you're interested in looks like this:`
Add a Rake task to aid in rotating otp_key_base 2017-06-02 12:28:54 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			```yaml
			`production:`
Add latest changes from gitlab-org/gitlab@master 2020-11-19 22:09:15 -05:00			`otp_key_base: fffffffffffffffffffffffffffffffffffffffffffffff`
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			```
Add a Rake task to aid in rotating otp_key_base 2017-06-02 12:28:54 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			`1. Generate a new secret:`
Add a Rake task to aid in rotating otp_key_base 2017-06-02 12:28:54 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			```shell
			`# omnibus-gitlab`
			`sudo gitlab-rake secret`
Add a Rake task to aid in rotating otp_key_base 2017-06-02 12:28:54 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			`# installation from source`
			`bundle exec rake secret RAILS_ENV=production`
			```
Add a Rake task to aid in rotating otp_key_base 2017-06-02 12:28:54 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			`1. Stop the GitLab server, back up the existing secrets file, and update the database:`
Add a Rake task to aid in rotating otp_key_base 2017-06-02 12:28:54 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			```shell
			`# omnibus-gitlab`
			`sudo gitlab-ctl stop`
			`sudo cp config/secrets.yml config/secrets.yml.bak`
			`sudo gitlab-rake gitlab:two_factor:rotate_key:apply filename=backup.csv old_key=<old key> new_key=<new key>`
Add a Rake task to aid in rotating otp_key_base 2017-06-02 12:28:54 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			`# installation from source`
			`sudo /etc/init.d/gitlab stop`
			`cp config/secrets.yml config/secrets.yml.bak`
			`bundle exec rake gitlab:two_factor:rotate_key:apply filename=backup.csv old_key=<old key> new_key=<new key> RAILS_ENV=production`
			```
Add a Rake task to aid in rotating otp_key_base 2017-06-02 12:28:54 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			The `<old key>` value can be read from `config/secrets.yml` (`<new key>` was
Add latest changes from gitlab-org/gitlab@master 2020-11-19 22:09:15 -05:00			`generated earlier). The encrypted values for the user 2FA secrets are`
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			written to the specified `filename`. You can use this to rollback in case of
			`error.`
Add a Rake task to aid in rotating otp_key_base 2017-06-02 12:28:54 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			1. Change `config/secrets.yml` to set `otp_key_base` to `<new key>` and restart. Again, make sure
			`you're operating in the production section.`
Add a Rake task to aid in rotating otp_key_base 2017-06-02 12:28:54 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-04-28 02:09:49 -04:00			```shell
			`# omnibus-gitlab`
			`sudo gitlab-ctl start`

			`# installation from source`
			`sudo /etc/init.d/gitlab start`
			```
Add a Rake task to aid in rotating otp_key_base 2017-06-02 12:28:54 -04:00
			If there are any problems (perhaps using the wrong value for `old_key`), you can
			restore your backup of `config/secrets.yml` and rollback the changes:

Add latest changes from gitlab-org/gitlab@master 2020-03-02 22:08:31 -05:00			```shell
Add a Rake task to aid in rotating otp_key_base 2017-06-02 12:28:54 -04:00			`# omnibus-gitlab`
			`sudo gitlab-ctl stop`
			`sudo gitlab-rake gitlab:two_factor:rotate_key:rollback filename=backup.csv`
			`sudo cp config/secrets.yml.bak config/secrets.yml`
			`sudo gitlab-ctl start`

			`# installation from source`
			`sudo /etc/init.d/gitlab start`
			`bundle exec rake gitlab:two_factor:rotate_key:rollback filename=backup.csv RAILS_ENV=production`
			`cp config/secrets.yml.bak config/secrets.yml`
			`sudo /etc/init.d/gitlab start`

			```