gitlab-org--gitlab-foss/doc/administration/auditor_users.md

3.9 KiB

stage group info
Manage Authentication and Authorization To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments

Auditor users (PREMIUM SELF)

Auditor users are given read-only access to all projects, groups, and other resources on the GitLab instance.

Overview

Auditor users are able to have both full access to their own resources (including projects, groups, and snippets) and read-only access to all other resources, except the Admin Area. These user accounts are regular users who can be added to projects, create personal snippets, and create milestones on their groups, while also having read-only access to all projects on the server to which they haven't been explicitly given access.

The Auditor access level is not a read-only version of the Admin access level. Auditor users can't access the project or group settings pages, or the Admin Area.

Assuming you have signed in as an Auditor user:

  • For a project the Auditor is not member of, the Auditor should have read-only access. If the project is public or internal, they have the same access as users that aren't members of that project or group.
  • For a project the Auditor owns, the Auditor should have full access to everything.
  • For a project to which the Auditor is added as a member, the Auditor should have the same access as their given permissions. For example, if they were added as a Developer, they can push commits or comment on issues.
  • The Auditor can't view the Admin Area, or perform any administration actions.

For more information about what an Auditor can or can't do, see the Permissions and restrictions of an Auditor user section.

Use cases

The following use cases describe some situations where Auditor users could be helpful:

  • Your compliance department wants to run tests against the entire GitLab base to ensure users are complying with password, credit card, and other sensitive data policies. With Auditor users, this can be achieved very without having to give them user administration rights or using the API to add them to all projects.
  • If particular users need visibility or access to most of all projects in your GitLab instance, instead of manually adding the user to all projects, you can create an Auditor user and then share the credentials with those users to which you want to grant access.

Add an Auditor user

To create an Auditor user:

  1. On the top bar, select Menu > Admin.
  2. On the left sidebar, select Overview > Users.
  3. Create a new user or edit an existing one, and in the Access section select Auditor.
  4. If you created a user, select Create user. For an existing user, select Save changes.

To revoke Auditor permissions from a user, make them a Regular user by following the previous steps.

Additionally users can be set as an Auditor using SAML groups.

Permissions and restrictions of an Auditor user

An Auditor user should be able to access all projects and groups of a GitLab instance, with the following permissions and restrictions:

  • Has read-only access to the API
  • Can access projects that are:
    • Private
    • Public
    • Internal
  • Can read all files in a repository
  • Can read issues and MRs
  • Can read project snippets
  • Cannot be Administrator and Auditor at the same time
  • Cannot access the Admin Area
  • In a group or project they're not a member of:
    • Cannot access project settings
    • Cannot access group settings
    • Cannot commit to repository
    • Cannot create or comment on issues and MRs
    • Cannot create or modify files from the Web UI
    • Cannot merge a merge request
    • Cannot create project snippets