Make `minimal access users` or `users not assigned to a group or project` non-billable
Release notes
Users with just Minimal Access
, and no other access granted to resources within the group, no longer consume a paid seat on GitLab paid plans. You can use the Minimal Access role to grant a user access to a top level group, which enables SAML SSO, without these users counting towards your billable users count.
Problem
GitLab Premium customers would like to make use of the Minimal Access role launched with #220203 (closed). However, the fact that the Minimal Access Consumes a License Seat in Premium, presents a barrier for Group Owners to try to adopt SSO due to the risk of overprovisioning users that don't have access to any functional subgroups or projects but end up consuming a license.
Today, any valid user in the SSO IdP can create a "Minimal Access" user with the Identity Provider SSO URL and end up consuming a license. This presents a burden for group owners and administrators that need to reconcile this type of access with billable users to ensure they're not paying for a license that doesn't provide any value. This gets increasingly harder for groups with 1000s of users.
The sentiment aligns with those of a GitLab Administrator for 1000+ users in the original issue:
Here's my thoughts as an admin for a 1000+ user Silver account. I definitely think this is solving for something that is real. I'd want such a user not consume a seat until/unless they get a higher role somewhere.
As a GitLab Group Owner in Gitlab.com I would like for Minimal Access to not consume a license so I am not concerned about paying for licenses that is not functional.
Intended users
Cameron (Compliance Manager) Priyanka (Platform Engineer)
User experience goal
GitLab Group Owners in GitLab.com should be able to configure their SSO without worrying about the potential number of users that will be getting Minimal Access and end up consuming a license thus increasing their Max User Count.
Proposal
Do not count the following type of users as billable users on paid plans.
Minimal Access
-
Users without a Group or Project
- since Users without a Group or Project have even less access than Minimal Access users, we believe that the same principle applies and they shouldn't be billable.
Further details
- Ensure that the Utilization tooling (billable users calculation panel, user statistics, any views that show users, etc.) make it clear that the following users are not billable:
Users without a Group and Project
Users with highest role **Minimal access**
- Update Self-Managed usage counts to exclude from billable users those users.
Documentation
- After implementing: Need to update this section to say Minimal access users don't take a paid seat https://docs.gitlab.com/ee/user/permissions.html#minimal-access-users-take-license-seats
- Clarify on the page that a minimal access user that is granted access to a higher role (Guest+) to a project will then inherit that higher access for billing purposes.
- Update documentation to indicate how
Users without a Group and Project
are handled (non-billable after this change).
Availability & Testing
Available Tier
All paid tiers
What does success look like, and how can we measure that?
What is the type of buyer?
Dakota - Application Developer Director
Is this a cross-stage feature?
Potentially Fulfillment