List group users API (experiment) returns 403 error

Summary

The List group users API (currently in the Experiment status) always returns 403 error even if API request was authenticated by Owner of the group.

Steps to reproduce

Issue the project access token that has Owner role
Request the List group users API by using this access token.

I also confirmed that the issue can be reproduced by using the personal access token of an Owner

Example Project

https://gitlab.com/groups/kkamiya_gl_premium_group

What is the current bug behavior?

API always returns 403

What is the expected correct behavior?

API returns a list of users for a group.

Relevant logs and/or screenshots

$ curl --header "PRIVATE-TOKEN: glpat-b6VJ5r*****" "https://gitlab.com/api/v4/groups/70922628/users?include_saml_users=false"
{"message":"403 Forbidden"}

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

Replicated in GitLab.com

Results of GitLab application Check

Expand for output related to the GitLab application check

Replicated in GitLab.com

Possible fixes

Edited Oct 03, 2025 by 🤖 GitLab Bot 🤖