[RA] Document different RA settings in code and UI
Background
As discussed in #566005 (closed), there are several settings related to BSO (Block Seat Overages), user creation permissions, and user caps that need to be clearly documented with their code names and UI names to help write clear scenarios for how these settings interact.
Objective
Create a comprehensive list of all settings related to:
- BSO (Block Seat Overages) / Restricted Access
- User creation permissions (groups and projects)
- User caps and seat control
- Related permission and restriction settings
- SAML, SCIM and LDAP
Requirements
For each setting, document:
- Code Name - The actual attribute/method name used in the codebase
- UI Name - The label shown to users in the interface
- Scope - Whether it's instance-level, group-level, or user-level
Overview
BSO related settings
- Seat Control
- Allow users with up to guest role to create groups and personal projects
- User creation settings
- Related permission settings
BSO considering protocols
BSO related settings
Seat Control
For GitLab.com and Self-Managed/Dedicated
| table | attribute |
|---|---|
namespace_settings |
seat_control |
namespace_settings |
new_user_signups_cap |
Allow users with up to guest role to create groups and personal projects
For GitLab.com and Self-Managed/Dedicated
Instance level
| table | attribute |
|---|---|
application_settings |
allow_project_creation_for_guest_and_below |
User Creation Settings
-
can_create_groupandcan_create_project- Both are influenced by
allow_project_creation_for_guest_and_below
- Both are influenced by
-
can_create_project- Is additionally influenced by
projects_limit/default_projects_limit
- Is additionally influenced by
Related Permission Settings
-
prevent_sharing_groups_outside_hierarchy- Saved on
namespace_settingstable
- Saved on
-
share_with_group_lock- Saved on
namespacestable
- Saved on
BSO considering protocols
LDAP
Only for Self-Managed/Dedicated
General settings
Instance level
- Lock memberships to LDAP synchronization.
- Allow group owners to manage LDAP-related settings.
| table | attribute |
|---|---|
application_settings |
lock_memberships_to_ldap |
application_settings |
allow_group_owners_to_manage_ldap |
LDAP synchronizations
Group level
| table | attribute |
|---|---|
ldap_group_links |
provider |
ldap_group_links |
group_id |
ldap_group_links |
filter |
ldap_group_links |
group_access |
ldap_group_links |
member_role_id |
SAML
For GitLab.com and Self-Managed/Dedicated
General settings
Instance level
| table | attribute |
|---|---|
application_settings |
lock_memberships_to_saml |
SAML Single Sign On (SSO)
Group level
| table | attribute |
|---|---|
saml_providers |
enabled |
saml_providers |
disable_password_authentication_for_enterprise_users |
saml_providers |
enforced_sso |
saml_providers |
git_check_enforced |
saml_providers |
sso_url |
saml_providers |
certificate_fingerprint |
saml_providers |
member_role_id |
SAML Group Links
Group level
| table | attribute |
|---|---|
saml_group_links |
saml_group_name |
saml_group_links |
access_level |
SCIM
- For GitLab.com and Self-Managed/Dedicated
- Top-level group
- No changeable settings
Deliverable
A clear reference document (in dev docs, issue description, or separate documentation) that serves as a single source of truth for understanding these settings and their relationships.
This will help with:
- Writing clear test scenarios
- Understanding setting interactions
- Ensuring consistent behavior across different configurations
- Supporting the SAM (Seat Assignment Model) implementation