| Stage | Govern |
| Maturity | Complete |
| Content Last Reviewed | 2023-02-14 |
Welcome to the System Access category page, which sits within the Authentication and Authorization group at GitLab. System Access is rather broad, but hopefully by the time you are done reading this page, you will have a much better idea of what it means to us.
There are many different entry points in the GitLab Ecosystem. The System Access category is all about maintaining those entry points and ensuring the users that authenticate through them are permitted to do so. We provide various tooling to make system access as secure and flexible as possible.
This direction page is a work in progress, and everyone can contribute:
@hsutor so she can read and respond to your comment. Sharing your feedback directly on GitLab.com is the best way to contribute to our strategy and vision.Authenticating with GitLab is considered a core component of the platform. Every product on the market provides some level of authentication. For GitLab, the base version of our authentication needs to be stronger than the advanced versions of authentication other products may have.
Why?
Two reasons come to mind: 1. Technically advanced user base, who has security at the forefront of their minds 2. We help our customers protect their most valuable asset: their intellectual property
We provide a wide array of authentication methods, and the associated methods for securing auth even further.
Customizable Roles - The current 5 static roles that GitLab comes with out of the box are not flexible enough to meet the compliance and security needs of today's enterprise. We will be allowing admins / group owners to define their own roles, which will consist of permissions currently present in this table.
Service Accounts - will roll Group and Project Access tokens into a new concept called Service Accounts, which will be better attuned to the needs of integrations rather than human users. We have started laying the groundwork for Service Accounts with code in 15.9.
Enterprise Users - Allow Administrators and Group Owners more control over their claimed users, including limiting their ability to change their e-mail address and delete company-owned intellectual property.
FedRAMP required items
Enterprise Users Badging. We're adding a "Managed by" badge to Enterprise Users that will give non-admin users a clear visual indicator that their account is managed by their company.
SCIM Group Sync for GitLab.com. Today, SAML is the only way you can programmatically update a user's group. We will be adding group syncing support for customers who currently use SCIM to provision and manage their users.
Automatic Claims of Enterprise Users for any user matching a verified domain. Any organization that has a verified domain will automatically claim any users matching that domain as their own Enterprise Users. Previously, this was only possible with SAML and SCIM provisioned users.