Moderate users (administration)
DETAILS: Tier: Free, Premium, Ultimate Offering: Self-managed
This is the administration documentation. For information about moderating users in a group, see the group documentation.
GitLab administrators can moderate user access by approving, blocking, banning, or deactivating users.
Users pending approval
A user in pending approval state requires action by an administrator. A user sign up can be in a pending approval state because an administrator has enabled any of the following options:
- Require administrator approval for new sign-ups setting.
- User cap.
- Block auto-created users (OmniAuth)
- Block auto-created users (LDAP)
When a user registers for an account while this setting is enabled:
- The user is placed in a Pending approval state.
- The user sees a message telling them their account is awaiting approval by an administrator.
A user pending approval:
- Is functionally identical to a blocked user.
- Cannot sign in.
- Cannot access Git repositories or the GitLab API.
- Does not receive any notifications from GitLab.
- Does not consume a seat.
An administrator must approve their sign up to allow them to sign in.
View user sign ups pending approval
- Ability to filter a user by state introduced in GitLab 17.0.
To view user sign ups pending approval:
- On the left sidebar, at the bottom, select Admin.
- Select Overview > Users.
- In the search box, filter by State=Pending approval, and press Enter.
Approve or reject a user sign up
- Ability to filter a user by state introduced in GitLab 17.0.
A user sign up pending approval can be approved or rejected from the Admin area.
To approve or reject a user sign up:
- On the left sidebar, at the bottom, select Admin.
- Select Overview > Users.
- In the search box, filter by State=Pending approval and press Enter.
- For the user sign up you want to approve or reject, select the vertical ellipsis ({ellipsis_v}), then Approve or Reject.
Approving a user:
- Activates their account.
- Changes the user's state to active.
- Consumes a subscription seat.
Rejecting a user:
- Prevents the user from signing in or accessing instance information.
- Deletes the user.
View users pending role promotion
When user promotion management is enabled, any user added or promoted to a billable role will be pending administrator approval.
To view users pending role promotion:
- On the left sidebar, at the bottom, select Admin.
- Select Overview > Users.
- Select Role Promotions.
A list of users with the highest role requested is displayed. You can Approve or Reject the requests.
Block and unblock users
GitLab administrators can block and unblock users. You should block a user when you don't want them to access the instance, but you want to retain their data.
A blocked user:
- Cannot sign in or access any repositories. The blocked user's data remains in those repositories.
- Cannot use slash commands. For more information, see slash commands.
- Does not occupy a seat. For more information, see billable users.
Block a user
Prerequisites:
- You must be an administrator for the instance.
You can block a user's access to the instance.
To block a user:
- On the left sidebar, at the bottom, select Admin.
- Select Overview > Users.
- For the user you want to block, select the vertical ellipsis ({ellipsis_v}), then Block.
The user receives an email notification that their account has been blocked. After this email, they no longer receive notifications.
To report abuse from other users, see report abuse. For more information on abuse reports in the Admin area, see resolving abuse reports.
Unblock a user
- Ability to filter a user by state introduced in GitLab 17.0.
A blocked user can be unblocked from the Admin area. To do this:
- On the left sidebar, at the bottom, select Admin.
- Select Overview > Users.
- In the search box, filter by State=Blocked and press Enter.
- For the user you want to unblock, select the vertical ellipsis ({ellipsis_v}), then Unblock.
The user's state is set to active and they consume a seat.
NOTE: Users can also be unblocked using the GitLab API.
The unblock option may be unavailable for LDAP users. To enable the unblock option, the LDAP identity first needs to be deleted:
- On the left sidebar, at the bottom, select Admin.
- Select Overview > Users.
- In the search box, filter by State=Blocked and press Enter.
- Select a user.
- Select the Identities tab.
- Find the LDAP provider and select Delete.
Activate and deactivate users
GitLab administrators can deactivate and activate users. You should deactivate a user if they have no recent activity, and you don't want them to occupy a seat on the instance.
A deactivated user:
- Can sign in to GitLab.
- If a deactivated user signs in, they are automatically activated.
- Cannot access repositories or the API.
- Cannot use slash commands. For more information, see slash commands.
- Does not occupy a seat. For more information, see billable users.
When you deactivate a user, their projects, groups, and history remain.
Deactivate a user
Prerequisites:
- The user has had no activity in the last 90 days.
To deactivate a user from a self-managed GitLab instance:
- On the left sidebar, at the bottom, select Admin.
- Select Overview > Users.
- For the user you want to deactivate, select the vertical ellipsis ({ellipsis_v}) and then Deactivate.
- On the dialog, select Deactivate.
The user receives an email notification that their account has been deactivated. After this email, they no longer receive notifications. For more information, see user deactivation emails.
To deactivate users with the GitLab API, see deactivate user. For information about permanent user restrictions, see block and unblock users.
To remove a user from a GitLab.com subscription, see Remove users from your subscription.
Automatically deactivate dormant users
- Customizable time period introduced in GitLab 15.4
- The lower limit for inactive period set to 90 days introduced in GitLab 15.5
Administrators can enable automatic deactivation of users who either:
- Were created more than a week ago and have not signed in.
- Have no activity for a specified period of time (default and minimum is 90 days).
To do this:
- On the left sidebar, at the bottom, select Admin.
- Select Settings > General.
- Expand the Account and limit section.
- Under Dormant users, check Deactivate dormant users after a period of inactivity.
- Under Days of inactivity before deactivation, enter the number of days before deactivation. Minimum value is 90 days.
- Select Save changes.
When this feature is enabled, GitLab runs a job once a day to deactivate the dormant users.
A maximum of 100,000 users can be deactivated per day.
NOTE: GitLab generated bots are excluded from the automatic deactivation of dormant users.
Automatically delete unconfirmed users
DETAILS: Tier: Premium, Ultimate Offering: Self-managed
- Introduced in GitLab 16.1 with a flag named
delete_unconfirmed_users_setting
. Disabled by default.- Enabled by default in GitLab 16.2.
Prerequisites:
- You must be an administrator.
You can enable automatic deletion of users who both:
- Never confirmed their email address.
- Signed up for GitLab more than a specified number of days in the past.
You can configure these settings using either the Settings API or in a Rails console:
Gitlab::CurrentSettings.update(delete_unconfirmed_users: true)
Gitlab::CurrentSettings.update(unconfirmed_users_delete_after_days: 365)
When the delete_unconfirmed_users
setting is enabled, GitLab runs a job once an hour to delete the unconfirmed users.
The job only deletes users who signed up more than unconfirmed_users_delete_after_days
days in the past.
This job only runs when the email_confirmation_setting
is set to soft
or hard
.
A maximum of 240,000 users can be deleted per day.
Activate a user
- Ability to filter a user by state introduced in GitLab 17.0.
A deactivated user can be activated from the Admin area.
To do this:
- On the left sidebar, at the bottom, select Admin.
- Select Overview > Users.
- In the search box, filter by State=Deactivated and press Enter.
- For the user you want to activate, select the vertical ellipsis ({ellipsis_v}), then Activate.
The user's state is set to active and they consume a seat.
NOTE: A deactivated user can also activate their account themselves by logging back in via the UI. Users can also be activated using the GitLab API.
Ban and unban users
- Hiding merge requests of banned users introduced in GitLab 15.8 with a flag named
hide_merge_requests_from_banned_users
. Disabled by default.- Hiding comments of banned users introduced in GitLab 15.11 with a flag named
hidden_notes
. Disabled by default.- Hiding projects of banned users introduced in GitLab 16.2 with a flag named
hide_projects_of_banned_users
. Disabled by default.
GitLab administrators can ban and unban users. You should ban a user when you want to block them and hide their activity from the instance.
A banned user:
- Is blocked from the instance. The banned user's projects, issues, merge requests, and comments are hidden.
- Does not occupy a seat.
Ban a user
To block a user and hide their contributions, administrators can ban the user.
Users can be banned using the Admin area. To do this:
- On the left sidebar, at the bottom, select Admin.
- Select Overview > Users.
- For the user you want to ban, select the vertical ellipsis ({ellipsis_v}), then Ban user.
Unban a user
- Ability to filter a user by state introduced in GitLab 17.0.
A banned user can be unbanned using the Admin area. To do this:
- On the left sidebar, at the bottom, select Admin.
- Select Overview > Users.
- In the search box , filter by State=Banned and press Enter.
- For the user you want to unban, select the vertical ellipsis ({ellipsis_v}), then Unban user.
The user's state is set to active and they consume a seat.
Delete a user
Use the Admin area to delete users.
- On the left sidebar, at the bottom, select Admin.
- Select Overview > Users.
- For the user you want to delete, select the vertical ellipsis ({ellipsis_v}), then Delete user.
- Type the username.
- Select Delete user.
NOTE: You can only delete a user if there are inherited or direct owners of a group. You cannot delete a user if they are the only group owner.
You can also delete a user and their contributions, such as merge requests, issues, and groups of which they are the only group owner.
- On the left sidebar, at the bottom, select Admin.
- Select Overview > Users.
- For the user you want to delete, select the vertical ellipsis ({ellipsis_v}), then Delete user and contributions.
- Type the username.
- Select Delete user and contributions.
NOTE: Before 15.1, additionally groups of which deleted user were the only owner among direct members were deleted.
Trust and untrust users
- Introduced in GitLab 16.5.
- Ability to filter a user by state introduced in GitLab 17.0.
You can trust and untrust users from the Admin area.
By default, a user is not trusted and is blocked from creating issues, notes, and snippets considered to be spam. When you trust a user, they can create issues, notes, and snippets without being blocked.
Prerequisites:
- You must be an administrator.
::Tabs
:::TabTitle Trust a user
- On the left sidebar, at the bottom, select Admin.
- Select Overview > Users.
- Select a user.
- From the User administration dropdown list, select Trust user.
- On the confirmation dialog, select Trust user.
The user is trusted.
:::TabTitle Untrust a user
- On the left sidebar, at the bottom, select Admin.
- Select Overview > Users.
- In the search box, filter by State=Trusted and press Enter.
- Select a user.
- From the User administration dropdown list, select Untrust user.
- On the confirmation dialog, select Untrust user.
The user is untrusted.
::EndTabs
Troubleshooting
When moderating users, you may need to perform bulk actions on them based on certain conditions. The following rails console scripts show some examples of this. You may start a rails console session and use scripts similar to the following:
Deactivate users that have no recent activity
Administrators can deactivate users that have no recent activity.
WARNING: Commands that change data can cause damage if not run correctly or under the right conditions. Always run commands in a test environment first and have a backup instance ready to restore.
days_inactive = 90
inactive_users = User.active.where("last_activity_on <= ?", days_inactive.days.ago)
inactive_users.each do |user|
puts "user '#{user.username}': #{user.last_activity_on}"
user.deactivate!
end
Block users that have no recent activity
Administrators can block users that have no recent activity.
WARNING: Commands that change data can cause damage if not run correctly or under the right conditions. Always run commands in a test environment first and have a backup instance ready to restore.
days_inactive = 90
inactive_users = User.active.where("last_activity_on <= ?", days_inactive.days.ago)
inactive_users.each do |user|
puts "user '#{user.username}': #{user.last_activity_on}"
user.block!
end
Block or delete users that have no projects or groups
Administrators can block or delete users that have no projects or groups.
WARNING: Commands that change data can cause damage if not run correctly or under the right conditions. Always run commands in a test environment first and have a backup instance ready to restore.
users = User.where('id NOT IN (select distinct(user_id) from project_authorizations)')
# How many users are removed?
users.count
# If that count looks sane:
# You can either block the users:
users.each { |user| user.blocked? ? nil : user.block! }
# Or you can delete them:
# need 'current user' (your user) for auditing purposes
current_user = User.find_by(username: '<your username>')
users.each do |user|
DeleteUserWorker.perform_async(current_user.id, user.id)
end