System Access

Introduction and how you can help

Welcome to the System Access category page, which sits within the Authentication and Authorization group at GitLab. System Access is rather broad, but hopefully by the time you are done reading this page, you will have a much better idea of what it means to us.

There are many different entry points in the GitLab Ecosystem. The System Access category is all about maintaining those entry points and ensuring the users that authenticate through them are permitted to do so. We provide various tooling to make system access as secure and flexible as possible.

This direction page is a work in progress, and everyone can contribute:

• Please comment and contribute in the linked issues. Make sure to tag @hsutor so she can read and respond to your comment. Sharing your feedback directly on GitLab.com is the best way to contribute to our strategy and vision.

Strategy and Themes

Authenticating with GitLab is considered a core component of the platform. Every product on the market provides some level of authentication. For GitLab, the base version of our authentication needs to be stronger than the advanced versions of authentication other products may have.

Why?

Two reasons come to mind: 1. Technically advanced user base, who has security at the forefront of their minds 2. We help our customers protect their most valuable asset: their intellectual property

We provide a wide array of authentication methods, and the associated methods for securing auth even further.

Authentication Methods

• Username/Password (including integrating with third party Identity Providers, such as Azure AD and Okta)
• SSK keys
• Access Tokens (Personal, Project, Group)
• Service Accounts (non-human bot accounts)

Controls

• IP address restrictions
• Credential lifecycle limits
• Password complexity policy
• Session management
• Multi-factor authentication, including webauthn
• Granular, flexible permissions

1 year plan

1. Customizable Roles - The current 5 static roles that GitLab comes with out of the box are not flexible enough to meet the compliance and security needs of today's enterprise. We will be allowing admins / group owners to define their own roles, which will consist of permissions currently present in this table.

2. FedRAMP compliance

3. Service Accounts - will roll Group and Project Access tokens into a new concept called Service Accounts, which will be better attuned to the needs of integrations rather than human users. We have started laying the groundwork for Service Accounts with code in 15.9.

4. Enterprise Users - Allow Administrators and Group Owners more control over their claimed users, including limiting their ability to change their e-mail address and delete company-owned intellectual property.

What is next for us

• Consolidate Permissions for Customizable Roles

• FedRAMP required items

• Service Accounts UI

What we are currently working on

• Enterprise Users Badging. We're adding a "Managed by" badge to Enterprise Users that will give non-admin users a clear visual indicator that their account is managed by their company.

• SCIM Group Sync for GitLab.com. Today, SAML is the only way you can programmatically update a user's group. We will be adding group syncing support for customers who currently use SCIM to provision and manage their users.

• Automatic Claims of Enterprise Users for any user matching a verified domain. Any organization that has a verified domain will automatically claim any users matching that domain as their own Enterprise Users. Previously, this was only possible with SAML and SCIM provisioned users.

What we recently completed

• Self-Managed Group SCIM
• Customzable Roles MVC
• Group Owners can reset user's 2FA
• Remove OTP requirement for 2FA with webauthn

What is Not Planned Right Now

• Token enhancements, aside from spiking on the rotation API
• Major functionality additions to LDAP or SAML

Key Capabilities

Roadmap

Top [1/2/3] Competitive Solutions

Maturity Plan

Target Audience