惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Recorded Future
Recorded Future
C
Cyber Attacks, Cyber Crime and Cyber Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Scott Helme
Scott Helme
Cyberwarzone
Cyberwarzone
C
CERT Recently Published Vulnerability Notes
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Palo Alto Networks Blog
Google Online Security Blog
Google Online Security Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
WordPress大学
WordPress大学
博客园 - 聂微东
L
LINUX DO - 最新话题
月光博客
月光博客
小众软件
小众软件
T
Troy Hunt's Blog
A
Arctic Wolf
量子位
I
Intezer
大猫的无限游戏
大猫的无限游戏
T
Tailwind CSS Blog
S
Schneier on Security
Schneier on Security
Schneier on Security
NISL@THU
NISL@THU
T
Threat Research - Cisco Blogs
TaoSecurity Blog
TaoSecurity Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园_首页
有赞技术团队
有赞技术团队
N
News and Events Feed by Topic
美团技术团队
The Cloudflare Blog
P
Privacy International News Feed
S
Security Affairs
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
G
GRAHAM CLULEY
N
News | PayPal Newsroom
Apple Machine Learning Research
Apple Machine Learning Research
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
L
LINUX DO - 热门话题
V
Vulnerabilities – Threatpost
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
CXSECURITY Database RSS Feed - CXSecurity.com
宝玉的分享
宝玉的分享
Application and Cybersecurity Blog
Application and Cybersecurity Blog
IT之家
IT之家
Hacker News: Ask HN
Hacker News: Ask HN
雷峰网
雷峰网

GitLab

Turn multi-step software delivery into agentic flows you can trust GitLab Duo Security Review spots logic flaws scanners miss Bring GitLab Duo Agent Platform to your terminal Forrester Consulting: GitLab Duo Agent Platform delivers 400% ROI GitLab 19.2 release notes | GitLab Docs When a version bump breaks your build, GitLab fixes it Green DevOps: Why carbon measurement belongs in your CI/CD pipeline GitLab Patch Release: 19.1.2, 19.0.4, 18.11.7 How we used AI agents to migrate GitLab rate limiting GitLab Patch Release: 18.8.11 | GitLab Docs Claude Sonnet 5 on GitLab: More reliable, more efficient What Google Antigravity agents get full context with GitLab Orbit GitLab Patch Release: 19.1.1, 19.0.3, 18.11.6 GitLab 19.1 release notes | GitLab Docs AI Catalog updates for governance and operations One vulnerability view: From scanner coverage to AI governance GitLab named a Leader in the 2026 Gartner® Magic Quadrant™ for DevSecOps Platforms GitLab and Capgemini accelerate DevSecOps transformation Introducing the 2026 EMEA GitLab Partner Award winners GitLab Patch Release: 19.0.2, 18.11.5, 18.10.8 Introducing GitLab Orbit GitLab Flex: Commit once, reshape your seats and AI spend GitLab: Built for the agentic engineering era GitLab on Google Cloud: Fully managed, compliant, and AI-ready Shai-Hulud copycat campaign targets Python developers through PyPI typosquatting Mythos-class Claude Fable 5 arrives on GitLab Duo Agent Platform GitLab Patch Release: 19.0.1, 18.11.4, 18.10.7 Claude Opus 4.8 on GitLab: Complex agentic work, less disruption Agentic coding is only as good as its context GitLab Patch Release: 18.9.8, 18.8.10, 18.7.7, 18.6.8, 18.5.7 Full security scanner coverage of your codebase in minutes Reduce supply chain risk with SBOM-based dependency scanning Transform MRs from manual tasks to an automated workflow Track CI component usage across your organization Manage CI/CD credentials with GitLab Secrets Manager More AI models for GitLab Duo Agent Platform Self-Hosted GitLab 19.0 | GitLab Docs GitLab Dedicated for Government now GovRAMP-authorized Beyond BYOK: Why governance matters for AI agents Fix bugs with Codex and GitLab 5 ways to fix misleading vulnerability severities with policy Harden your pipeline perimeter for the era of AI-assisted coding GitLab Patch Release: 18.11.3, 18.10.6, 18.9.7 GitLab Act 2 Consolidate your GitLab stack with Gitaly on Kubernetes Limit token exposure with fine-grained PATs Automate deployment processes with GitLab Duo Agent Platform Claude Code and GitLab: Three workflows that ship 8 Agentic AI patterns reshaping team collaboration How to detect and prevent Contagious Interview IDE attacks Atlassian will train on your data: Opt out with GitLab Automate detection testing with GitLab CI/CD and Duo
Keep your GitLab seats in check with restricted access
Magdalena Frankiewicz · 2026-07-06 · via GitLab

GitLab restricted access for instance admins, group owners, and billing managers enables predictable seat costs with less manual gatekeeping. The feature has been significantly improved and is now more complete for the workflows that commonly affect seat usage. This update closes the gaps around identity provider provisioning, dormant user reactivation, and sign-in flows so organizations can use restricted access with more confidence in real-world environments.

In this article, you'll learn what restricted access does, what changed, and how to turn the feature on.

What is restricted access?

Restricted access is a seat control feature available on GitLab.com and Self-Managed. When it is enabled and all licensed seats are already in use, GitLab blocks new billable users from being added.

Organizations, therefore, can avoid unexpected seat growth before renewal and keep seat usage aligned more closely to the number of seats they have purchased. Restricted access is designed to prevent new overages going forward, not to undo overages that already exist.

Users who do not need project or group access, such as users who authenticate through GitLab as an OpenID Connect (OIDC) provider, can be assigned the non-billable Minimal Access role. Those users can still authenticate without consuming a paid seat.

Existing billable members are not retroactively affected

Restricted access is forward-looking. If you enable it on a group or instance that is already over its seat limit, GitLab does not downgrade, remove, or block existing billable members. Current memberships stay as they are. If there is already an overage, administrators still need to bring usage back within the purchased limit by removing billable members or purchasing additional seats.

Once seat usage is back within the subscription limit, restricted access helps prevent additional billable growth beyond that limit.

Restricted access works better with your identity provider

A major part of the recent feature completion work was improving how restricted access behaves with identity-driven provisioning.

When restricted access is enabled and no seats are available, users provisioned through SAML, SCIM, or LDAP are no longer added directly into billable roles. Instead, GitLab assigns them the non-billable Minimal Access role. Synchronization can continue while avoiding an immediate billable overage.

This behavior is especially helpful for organizations that rely on automated provisioning and want tighter cost controls without giving up centralized identity management.

If you use GitLab as an OIDC provider and some users only need authentication rather than project or group access, assigning Minimal Access at the top-level group remains a useful pattern. Those users do not consume billable seats, and users with only Minimal Access can still be reactivated even when no seats are available.

Dormant users no longer create silent overages

GitLab can automatically deactivate users who have had no activity for a configurable period, freeing up seats. Previously, when those users signed back in through OIDC or single sign-on (SSO), they could be silently reactivated as billable users, bypassing restricted access and creating license overages.

Now, when restricted access is active and no seats are available, dormant users who sign back in are placed in a pending approval state. Their group and project memberships are preserved, and an administrator can approve them when a seat opens up.

Restricted access is also easier to operate day to day.

Recent improvements added more guidance directly into the product so administrators understand what will happen before and after they hit their seat limit. Depending on the scenario, that includes:

  • Contextual warnings when configuring LDAP sync, SAML group links, or SCIM provisioning while restricted access is active
  • Separate in-product states for approaching the seat limit and reaching the seat limit
  • Email notifications to group owners or instance administrators when users are assigned Minimal Access because no paid seats are available
  • Audit visibility for Minimal Access fallback events

The goal is not just to block new billable additions, but to make that behavior easier to understand and manage.

GitLab Self-Managed's settings cache

On GitLab Self-Managed, application settings are cached for 60 seconds by default for performance reasons.

As a result, if you switch between restricted access and user cap, some UI changes or seat-control behavior might not appear immediately. The cache refreshes automatically, and behavior becomes consistent once it does. If needed, administrators can adjust the cache interval.

See the application settings cache documentation.

The difference between restricted access and user cap

Restricted access and user cap are related, but they solve different problems.

User cap puts new users into a pending approval flow for administrators or group owners to review, regardless of whether seats are still available. Restricted access is tied directly to the number of licensed seats and blocks new billable additions only when no seats remain.

In other words, user cap is an approval control. Restricted access is a seat-limit control.

They also cannot be enabled at the same time. When you enable restricted access, user cap is disabled automatically. On GitLab.com, switching from user cap to restricted access can also affect pending members, so it is worth reviewing the documented behavior before making the change.

Get started

Restricted access is available on GitLab.com and Self-Managed.

  • On GitLab.com, group Owners can enable it at Settings > General > Permissions and group features > Seat control > Restricted access
  • On Self-Managed, administrators can enable it at Admin > Settings > General > New user account restrictions > Seat control > Restricted access
  • On GitLab.com, restricted access is not available when the top-level group is shared with an external group.

If your team wants tighter control over seat growth, fewer billing surprises, and a clearer operational model for provisioning and reactivation, restricted access is worth a closer look.

Resources