Admin users not members of any namespace can't create groups or projects

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Summary

Admins created and not assigned to a namespace (such as their personal namespace or a group) are unable to create new groups or projects

Steps to reproduce

Install GitLab
Create admin user
Login into the admin account
Settings > General > Account and limit > Allow users with up to Guest role to create groups and personal projects is unchecked
Try to create a group in Admin area > Groups or use the UI by clicking the ➕ symbol
Group creation fail with "You don’t have permission to create groups"
Creating new projects is also not available

What is the current bug behavior?

Admins that have not been assigned to a namespace cannot create groups or projects if the Allow users with up to Guest role to create groups and personal projects option has been checked.

MR that introduced the feature related to when this behavior started occurring.
Documentation - Prevent non-members from creating projects and groups

What is the expected correct behavior?

Admins should be able to create groups and projects

Results of GitLab environment info

Expand for output related to GitLab environment info

System information
System:
Proxy:          HTTP_PROXY: http://192.168.10.40:8080
                FTP_PROXY: http://192.168.10.40:8080
                https_proxy: http://192.168.10.40:8080
                http_proxy: http://192.168.10.40:8080
                no_proxy: 127.0.0.1,localhost,.desa.mydomain.com.uy
                NO_PROXY: 127.0.0.1,localhost,.desa.mydomain.com.uy
                HTTPS_PROXY: http://192.168.10.40:8080
                ftp_proxy: http://192.168.10.40:8080
Current User:   git
Using RVM:      no
Ruby Version:   3.1.4p223
Gem Version:    3.5.6
Bundler Version:2.5.6
Rake Version:   13.0.6
Redis Version:  7.0.15
Sidekiq Version:7.1.6
Go Version:     unknown

GitLab information
Version:        16.10.0-ee
Revision:       053df647320
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     14.10
URL:            https://gitlab.desa.mydomain.com.uy
HTTP Clone URL: https://gitlab.desa.mydomain.com.uy/some-group/some-project.git
SSH Clone URL:  git@gitlab.desa.mydomain.com.uy:some-group/some-project.git
Elasticsearch:  no
Geo:            no
Using LDAP:     yes
Using Omniauth: yes
Omniauth Providers:

GitLab Shell
Version:        14.34.0
Repository storages:
- default:      unix:/var/opt/gitlab/gitaly/gitaly.socket
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell

Gitaly
- default Address:      unix:/var/opt/gitlab/gitaly/gitaly.socket
- default Version:      16.10.0
- default Git Version:  2.43.0

Results of GitLab application Check

Expand for output related to the GitLab application check

Checking GitLab subtasks ...

Checking GitLab Shell ...

GitLab Shell: ... GitLab Shell version >= 14.34.0 ? ... OK (14.34.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Gitaly ...

Gitaly: ... default ... OK

Checking Gitaly ... Finished

Checking Sidekiq ...

Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1

Checking Sidekiq ... Finished

Checking Incoming Email ...

Incoming Email: ... Reply by email is disabled in config/gitlab.yml

Checking Incoming Email ... Finished

Checking LDAP ...

LDAP: ... Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 43 users of 100 limit.

Checking LDAP ... Finished

Checking GitLab App ...

Database config exists? ... yes Tables are truncated? ... skipped All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Cable config exists? ... yes Resque config exists? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units) Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units) Projects have namespace: ... can't check, you have no projects Redis version >= 6.2.14? ... yes Ruby version >= 3.0.6 ? ... yes (3.1.4) Git user has default SSH configuration? ... yes Active users: ... 3 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Elasticsearch version 7.x-8.x or OpenSearch version 1.x ... skipped (Advanced Search is disabled) All migrations must be finished before doing a major upgrade ... skipped (Advanced Search is disabled)

Checking GitLab App ... Finished

Checking GitLab subtasks ... Finished

Suggested fix

Modify the method allow_user_to_create_group_and_project? to return true if user is an admin. This line: https://gitlab.com/gitlab-org/gitlab/-/blob/88f4cb4e637f7866ba8b8f133a3d0c06c0d1cb77/app/models/user.rb#L1406-1410

  def allow_user_to_create_group_and_project?
    return true if Gitlab::CurrentSettings.allow_project_creation_for_guest_and_below || admin?

    highest_role > Gitlab::Access::GUEST
  end

Workaround

Add the user to a group, any group, with Guest access or higher. Removing them from the group after the UpdateHighestMemberRoleService worker has run (every 10 minutes by default) will retain their highest_role attribute

Edited Aug 12, 2025 by 🤖 GitLab Bot 🤖