## Problem Self-Managed instance admins face the same core problem as SaaS group Owners (tracked in https://gitlab.com/gitlab-org/customers-gitlab-com/-/issues/11389): they may not be members of the Billing Account that owns the subscription associated with their instance — where the subscription is linked to the instance via the license applied to it — leaving them unable to manage their subscription or access features like the GitLab Credits Dashboard in the Customers Portal. However, Self-Managed presents a fundamentally harder technical challenge. Unlike SaaS, where the Customers Portal can verify group ownership directly via the GitLab.com API, **ownership information for Self-Managed instances lives on the customer's own instance** - the Customers Portal has no direct access to it. This means we cannot reliably verify that a Customers Portal user is a legitimate admin of a given Self-Managed instance without additional signals or a purpose-built verification mechanism. ## What We Need to Discover Before proposing solutions, this issue should serve as a discovery spike to answer: 1. **What signals does the Customers Portal currently have about Self-Managed instances?** (e.g., subscription contact, license holder email, seat link data) 2. **Could a token-based or email-domain verification flow be used** to establish that a user is a legitimate admin of a given instance? 3. **How does the Self-Managed instance call home to GitLab today** (e.g., seat link, cloud licensing)? Could this channel carry ownership/admin signals? 4. **What is the volume of Self-Managed customers affected** relative to SaaS? Is the pain equally acute? ## Relationship to SaaS Issue This is a parallel problem to https://gitlab.com/gitlab-org/customers-gitlab-com/-/issues/11389 but requires separate discovery and a different technical approach. The SaaS solution should not be blocked on or conflated with this work.