This workflow focuses on the process when action is required by the Support team on behalf of the user.
There are two main situations where action may need to be taken on behalf of the user:
Following our Security Policy on "GitLab's Access to Your Private Repositories", actions should always be taken by the user whenever possible.
For example, users should be deleting their own projects, but if they encounter an error with every attempt and there are no workarounds, then Support can intervene with permission.
If in doubt, please ask a Support manager to review.
In cases where Support needs to take action on the project or group, such as for troubleshooting purposes, Support should do two things:
If an issue is created for other team members, please include a note that the user has provided permission for the specified action.
If a user has lost access to their account, all other options (such as SSH recovery codes, password reset) should be exhausted first.
Before taking any action, ensure that you have verified the account owner using the Account Ownership Verification workflow.
If ownership is verified, then:
Similar to Account Access Requests, if a user has lost access to their account and the account shows no activity in its history, then we can consider releasing the email address for the user to create a new account with.
For unverified/unconfirmed accounts, please see the confirmation emails workflow.
Only use this process if the account shows no activity. If an account shows any activity tied to any type of contribution (such as snippets, or comments in a project or group), use the Account Ownership Verification workflow instead.
To release an email address for an inactive account:
+release. For example, if the email address is
firstname.lastname@example.org, then update the email address on the account to
Before any actions are taken, including impersonating a user, please request explicit permission from the user to take the required action on their account. Be as specific as possible so that there is no confusion.
Some sample phrases:
Could you please provide permission for Support to … ?
Could you please confirm that you would like us to … ?
Could you please provide permission for Support to re-run one or more pipelines in project
xyzto investigate the issue you've described?
Could you please confirm that you would like us to add
email@example.com your account and make it the primary email address?
Once permission is confirmed by the user, then you may proceed.