Configure access to the GitLab Duo Agent Platform

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

You can turn GitLab Duo on or off for a group. You can also specify certain groups that can access only GitLab Duo Agent Platform features.

Give access to Agent Platform features

Prerequisites:

  • The Owner role for the top-level group.

To give access to specific Agent Platform features for a top-level group:

  1. In the top bar, select Search or go to and find your group.

  2. Select Settings > GitLab Duo.

  3. Select Change configuration.

  4. Under Member access, select Add group.

  5. From the dropdown list, select an existing group.

    When you add the first group, a default No group rule is also added. You can use this rule to configure access for all other users. This rule is automatically deleted when it has no access to GitLab Duo or Agent Platform and all existing groups are removed.

  6. Select the features that direct group members can access.

  7. Select Save changes.

These settings apply to:

  • Users who execute actions in the top-level group or a subgroup or project within a top-level group, and are direct members of either the top-level group, or of any subgroup or project within that top-level group.
  • Users who have the top-level group as the default GitLab Duo namespace.

When you configure group-based access controls, you can select only groups that are direct subgroups of the top-level group. You cannot use nested subgroups in access control rules.

Prerequisites:

  • Administrator access.

To give access to specific Agent Platform features for an instance:

  1. In the upper-right corner, select Admin.

  2. In the left sidebar, select GitLab Duo.

  3. Select Change configuration.

  4. Under Member access, select Add group.

  5. From the dropdown list, select an existing group.

    When you add the first group, a default No group rule is also added. You can use this rule to configure access for all other users. This rule is automatically deleted when it has no access to GitLab Duo or Agent Platform and all existing groups are removed.

    You can select only direct subgroups of the top-level group for access control. You cannot use nested subgroups in this configuration.

  6. Select the features that direct group members can access.

  7. Select Save changes.

The user can now access these features when they are turned on.

If you do not want to manually manage group membership, you can synchronize membership by using LDAP or SAML.

Group membership

When a user is assigned to more than one group, they access features from all assigned groups. For example:

  • In group A, the user has access to GitLab Duo features only.
  • In group B, the user has access to flows only.

In this example, the user has access to both GitLab Duo features and flows.

If no group is configured:

  • On GitLab.com: All members of the top-level group can access Agent Platform features.
  • On GitLab Self-Managed: All users can access Agent Platform features.

Additional controls (such as disabling features for the top-level group or instance) still apply.

Synchronize group membership

If you use LDAP or SAML for authentication, you can synchronize group membership automatically:

  1. Configure your LDAP or SAML provider to include a group that represents Agent Platform users.
  2. In GitLab, ensure the group is linked to your LDAP or SAML provider.
  3. Group membership updates automatically when users are added or removed from the provider group.

For more information, see:

Using access control

You can use access control for phased rollouts or testing and validation.

Phased rollouts

To implement a phased rollout of the Agent Platform:

  1. Create a group for pilot users (for example, pilot-users).
  2. Add a subset of users to this group.
  3. Add more users to the group gradually as you validate functionality and train users.
  4. Add all users to the group when you’re ready for a full rollout.

Testing and validation

To test Agent Platform capabilities in a controlled environment:

  1. Create a dedicated group for testing (for example, agent-testers).
  2. Create a test group or project.
  3. Add test users to the agent-testers group.
  4. Validate functionality and train users before a broader rollout.

Troubleshooting

GitLab Duo sidebar does not display for certain groups

In GitLab 18.8 and earlier, if you give a group access to Agent Platform but not to GitLab Duo, the GitLab Duo sidebar does not display for members of that group. As a workaround, ensure the group has access to both GitLab Duo and Agent Platform features.

To resolve this issue, upgrade to GitLab 18.9 or later.