### Proposal Currently, GitLab SaaS offers IP-based access restrictions that can limit access TO specific repositories FROM certain IP addresses. However, in enterprise and financial environments, there's a critical security need to prevent data exfiltration by controlling repository access in both directions. **Proposed Feature: Bidirectional IP-based Repository Access Control** This feature would extend the current IP-based access control to work bidirectionally: 1. **Current Functionality (Inbound Control)** - Restrict access TO specific repositories FROM certain IPs - Configure allowed IP ranges for accessing enterprise repositories 2. **New Functionality (Outbound Control)** - Restrict access FROM certain IPs TO only specific repositories/groups - Block all other repository access from those IPs - Prevent unauthorized repository cloning from corporate networks 3. **Implementation Details** - Add new group-level setting: "Restrict outbound repository access" - Allow administrators to specify allowed repository patterns/groups - Block git operations to unauthorized repositories from restricted IPs - Provide audit logs for attempted unauthorized access 4. **Security Benefits** - Prevents source code exfiltration - Enhances enterprise security controls - Supports compliance requirements - Reduces risk of intellectual property theft 5. **Configuration Example** ```yaml group_settings: restricted_ips: - range: "10.0.0.0/8" allowed_repositories: - "company-group/*" - "approved-external-group/*" ```