Allow member access rules with no group to act as a default rule for all users

Summary

When configuring member access rules for GitLab Duo, adding any group-based rule causes users not in that group to lose access to all features (including Classic). There is currently no way to define a default/fallback rule that applies to all users without creating and maintaining a dedicated group.

Problem

The current behavior of member access rules is:

  • When no group is configured: All users get access to Duo Agent Platform (DAP) features by default.
  • When any group-based rule is added: Only users in explicitly configured groups get access. All other users lose access to both DAP and Classic features.

This means that if an admin wants to grant DAP access to a specific subset of users (e.g., a pilot group), they inadvertently cut off Classic feature access for everyone else.

Current workaround: Create a separate group containing all users and assign Classic access to that group. This can be automated via LDAP or SAML group sync, but for customers who do not use LDAP/SAML, this requires manually creating and maintaining the group membership, which is error-prone and does not scale well.

Proposal

Allow creating a member access rule with no group entry. This rule would act as a wildcard/default, applying to:

  • Self-Managed: All users in the instance
  • GitLab.com: All members of the top-level namespace

Admins could then configure rules like:

Group Classic DAP
(no group - all users)
pilot-users

This would preserve Classic access for all users while restricting DAP to the pilot group, without requiring a manually maintained catch-all group.

Benefits

  • Simpler configuration: No need to create and maintain a dedicated "everyone" group
  • No dependency on LDAP/SAML: Customers without identity provider group sync can still achieve this setup easily
  • Consistent with existing behavior: The "no group configured" default already implies an "all users" scope; this proposal makes that concept explicit and configurable within the rules UI
  • Supports phased rollouts: Admins can roll out DAP to specific groups while keeping Classic available to everyone, which aligns with the phased rollout use case already documented
Edited by 🤖 GitLab Bot 🤖