DoIT Shared Tools - GitLab User Attestation Process (Access Review) for Group Owners

Account or access reviews ensure access to information, data, and resources is limited to authorized users. The Shared Tools team deactivates inactive users, however, group owners perform access reviews (add and remove users from groups).

What does the Shared Tools team do?

If users do not log into GitLab every 6 months, the Shared Tools team will deactivate/disable their account. If a deactivated user logs in, their account will automatically be reactivated. 

GitLab Group Owners are Responsible for User Attestation

Group owners should review all users with access to their groups and projects:

  • Quarterly
  • After staffing changes
  • When vendor contracts end

During an access review:

If you need more guidance, contact the Shared Tools team

Other Recommendations

  • Develop a procedure that identifies users that will need access to the system and when a user should be removed.
  • Guest users or users with a GitLab password, ensure password parameters meet campus policy UW-514.
  • Assign a different password for user and administrative accounts.
  • Ensure passwords are not the same as the NetID password.
  • Change passwords immediately if a compromise is suspected.

Attestation Roles & Process

Overview of User and Their Responsibilities
Type of User Description of Role Permissions Overview Responsible for
GitLab User Any eligible user of GitLab. Can create personal projects.

When granted access, GitLab users can create projects and content in group spaces. 
Leaving groups and projects they are no longer a part of.

As needed, transferring ownership of projects and groups.
GitLab Group Owner An approved GitLab group owner. They are responsible for delegated administration. Can create sub-groups, projects, and manage users. Aligning with known best practices, performing user management and access reviews (adding and removing users).
Shared Tools Service Team Service fulfillment and limited user support. Administrators of the platform. Managing authentication and deactivating inactive users.