Configure access for the Agent Platform

  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

You can turn GitLab Duo on or off for a group.

In addition, you can specify specific groups that can access Agent Platform features only.

Give a user access to Agent Platform features

To give a user access to specific Agent Platform features, complete the following steps.

Prerequisites:

  • You must be an administrator.

To give a user access to specific features:

  1. In the upper-right corner, select Admin.

  2. On the left sidebar, select GitLab Duo.

  3. Select Change configuration.

  4. Under Member Access, select Add group.

  5. Use the search box to select an existing group.

    You can select only direct subgroups of the top-level group for access control. You cannot use nested subgroups in this configuration.

  6. Select the features that direct group members can access.

  7. Select Save changes.

The user now has access to these features anywhere in the instance that they have access and the features are turned on.

Prerequisites:

  • You must be an administrator of the top-level namespace.
  • An existing group or the ability to create a new group for DAP users.

To give a user access to specific features:

  1. In the top bar, select Search or go to and find your group.
  2. Select Settings > GitLab Duo.
  3. Select Change configuration.
  4. Under Member Access, select Add group.
  5. Use the search box to select an existing group.
  6. Select the features that direct group members can access.
  7. Select Save changes.

These settings apply to:

When you configure group-based access controls, you can select only groups that are direct subgroups of the top-level group. You cannot use nested subgroups in access control rules.

If you do not want to manually manage group membership, you can synchronize membership by using LDAP or SAML.

Multiple group membership

When a user is assigned to more than one group, they get the features from all assigned groups. For example:

  • In group A, they have access to classic features only.
  • In group B, they have access to flows only.

They will be able to access both classic features and flows.

When no group is configured

If no group is configured:

  • On GitLab.com: All members of the top-level namespace are eligible to use Duo Agent Platform features. Further controls (such as disabling features across the namespace) are still applied.
  • On GitLab Self-Managed: All users in the instance are eligible to use Agent Platform features.

In all scenarios, further controls such as disabling features across a namespace or instance still apply.

Synchronize group membership

If you use LDAP or SAML for authentication, you can synchronize group membership automatically:

  1. Configure your LDAP or SAML provider to include a group that represents DAP users.
  2. In GitLab, ensure the group is linked to your LDAP/SAML provider.
  3. Group membership updates automatically when users are added or removed from the provider group.

For more information, see:

Use cases

You can use groups to implement phased rollouts or for testing purposes.

Phased rollout

To implement a phased rollout of the Agent Platform:

  1. Create a group for pilot users (for example, pilot-users).
  2. Add a subset of users to this group.
  3. Gradually add more users to the group as you validate functionality and train users.
  4. When ready for full rollout, add all users to the group.

Testing and validation

To test Agent Platform capabilities in a controlled environment:

  1. Create a dedicated group for testing (for example, agent-testers).
  2. Create a test namespace or project.
  3. Add test users to the agent-testers group.
  4. Validate functionality and train users before broader rollout.