Skip to content

Make minimal access users or users not assigned to a group or project non-billable

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Release notes

Users with just Minimal Access, and no other access granted to resources within the group, no longer consume a paid seat on GitLab paid plans. You can use the Minimal Access role to grant a user access to a top level group, which enables SAML SSO, without these users counting towards your billable users count.

Problem

GitLab Premium customers would like to make use of the Minimal Access role launched with #220203 (closed). However, the fact that the Minimal Access Consumes a License Seat in Premium, presents a barrier for Group Owners to try to adopt SSO due to the risk of overprovisioning users that don't have access to any functional subgroups or projects but end up consuming a license.

Today, any valid user in the SSO IdP can create a "Minimal Access" user with the Identity Provider SSO URL and end up consuming a license. This presents a burden for group owners and administrators that need to reconcile this type of access with billable users to ensure they're not paying for a license that doesn't provide any value. This gets increasingly harder for groups with 1000s of users.

The sentiment aligns with those of a GitLab Administrator for 1000+ users in the original issue:

Here's my thoughts as an admin for a 1000+ user Silver account. I definitely think this is solving for something that is real. I'd want such a user not consume a seat until/unless they get a higher role somewhere.

Comment from @jrandazzo:

Minimal access makes sense to be non-billable for all distributions. It is a way to provision users without assigning access, especially on GitLab.com. As organizations come into the picture, I could see the concept of "Minimal Access" going away as users would be provisioned at Organizations without access, then assigned membership accordingly.

As a GitLab Group Owner in Gitlab.com I would like for Minimal Access to not consume a license so I am not concerned about paying for licenses that is not functional.

Current State

Docs vary in terms of if MA is listed as billable:

https://docs.gitlab.com/subscriptions/manage_users_and_seats/#billable-users - does not list MA as billable

Billable users are users with access to a namespace in a subscription, such as direct members, inherited members, and invited users, with one of the following roles:

  • Guest (billable on Premium, non-billable on Free and Ultimate)
  • Planner
  • Reporter
  • Developer
  • Maintainer
  • Owner

https://docs.gitlab.com/user/permissions/#users-with-minimal-access - lists MA as billable on SM Premium only

Users with the Minimal Access role do not:

  • Count as licensed seats on GitLab Self-Managed Ultimate subscriptions or any GitLab.com subscriptions, provided the user has no other role anywhere in the instance or in the GitLab.com namespace.

The reality:

  1. Minimal Access
    1. GitLab.com: Non-billable on both tiers
    2. Self-Managed: Non-billable on Ultimate, but billable on Premium

User experience goal

GitLab Group Owners in GitLab.com should be able to configure their SSO without worrying about the potential number of users that will be getting Minimal Access and end up consuming a license thus increasing their Max User Count.

  • This is a blocker for Restricted Access/BSO GA

Proposal

Do not count the following type of users as billable users on paid plans.

  1. Minimal Access
  2. Users without a Group or Project - since Users without a Group or Project have even less access than Minimal Access users, we believe that the same principle applies and they shouldn't be billable.

Further details

  1. Ensure that the Utilization tooling (billable users calculation panel, user statistics, any views that show users, etc.) make it clear that the following users are not billable:
    1. Users without a Group and Project
    2. Users with highest role **Minimal access**
  2. Update Self-Managed usage counts to exclude from billable users those users.

Documentation

  • After implementing: Need to update this section to say Minimal access users don't take a paid seat https://docs.gitlab.com/ee/user/permissions.html#minimal-access-users-take-license-seats
  • Clarify on the page that a minimal access user that is granted access to a higher role (Guest+) to a project will then inherit that higher access for billing purposes.
  • Update documentation to indicate how Users without a Group and Project are handled (non-billable after this change).

Links / references

Edited by Courtney Meddaugh