@@ -6,7 +6,8 @@ info: To determine the technical writer assigned to the Stage/Group associated w
# Audit Events **(PREMIUM)**
GitLab offers a way to view the changes made within the GitLab server for owners and administrators on a [paid plan](https://about.gitlab.com/pricing/).
GitLab offers a way to view the changes made within the GitLab server for owners and administrators
on a [paid plan](https://about.gitlab.com/pricing/).
GitLab system administrators can also take advantage of the logs located on the
file system. See [the logs system documentation](logs.md#audit_jsonlog) for more details.
...
...
@@ -56,7 +57,11 @@ A user with:
Group events do not include project audit events.
To view a group's audit events, navigate to **Group > Security & Compliance > Audit Events**.
To view a group's audit events:
1. Go to the group.
1. On the left sidebar, select **Security & Compliance > Audit Events**.
From there, you can see the following actions:
- Group name or path changed.
...
...
@@ -86,7 +91,11 @@ Group events can also be accessed via the [Group Audit Events API](../api/audit_
A user with a Maintainer role (or above) can retrieve project audit events of all users.
A user with a Developer role is limited to project audit events based on their individual actions.
To view a project's audit events, navigate to **Project > Security & Compliance > Audit Events**.
To view a project's audit events:
1. Go to the project.
1. On the left sidebar, select **Security & Compliance > Audit Events**.
From there, you can see the following actions:
- Added or removed deploy keys
...
...
@@ -126,7 +135,10 @@ changed what and when for audit purposes.
Instance events do not include group or project audit events.
To view the server-wide administrator log, visit **Admin Area > Monitoring > Audit Events**.
To view the server-wide audit events:
1. On the top bar, select **Menu >****{admin}****Admin**.
1. On the left sidebar, select **Monitoring > Audit Events**.
The following user actions are recorded:
...
...
@@ -187,7 +199,7 @@ It may make the user interface for your project or audit events very busy, and t
`audit_events` PostgreSQL table may increase considerably. It's disabled by default
to prevent performance degradations on GitLab instances with very high Git write traffic.
In an upcoming release, Audit Events for Git push events will be enabled
In an upcoming release, Audit Events for Git push events are planned to be enabled
by default. Follow our [Partitioning strategy for Audit Events epic](https://gitlab.com/groups/gitlab-org/-/epics/3206) for updates.
If you still wish to enable **Repository push** events in your instance, follow
...
...
@@ -229,11 +241,12 @@ Export to CSV allows customers to export the current filter view of your audit e
CSV file, which stores tabular data in plain text. The data provides a comprehensive view with respect to
audit events.
To export the Audit Events to CSV, navigate to
**{monitor}****Admin Area > Monitoring > Audit Events**
To export the Audit Events to CSV:
1. On the top bar, select **Menu >****{admin}****Admin**.
1. On the left sidebar, select **Monitoring > Audit Events**.
1. Select the available search [filters](#search).
If a restriction is imposed on any key type, users cannot upload new SSH keys that don't meet the requirement. Any existing keys that don't meet it are disabled but not removed and users cannot to pull or push code using them.
If a restriction is imposed on any key type, users cannot upload new SSH keys that don't meet the
requirement. Any existing keys that don't meet it are disabled but not removed and users cannot to
pull or push code using them.
An icon is visible to the user of a restricted key in the SSH keys section of their profile:
@@ -9,7 +9,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
Two-factor Authentication (2FA) provides an additional level of security to your
users' GitLab account. After being enabled, in addition to supplying their
username and password to sign in, they'll be prompted for a code generated by an
username and password to sign in, they are prompted for a code generated by an
application on their phone.
You can read more about it here:
...
...
@@ -28,8 +28,8 @@ cannot leave the 2FA configuration area at `/-/profile/two_factor_auth`.
To enable 2FA for all users:
1.Navigate to **Admin Area > Settings > General**
(`/admin/application_settings/general`).
1.On the top bar, select **Menu >****{admin}****Admin**.
1. On the left sidebar, select **Settings > General** (`/admin/application_settings/general`).
1. Expand the **Sign-in restrictions** section, where you can configure both.
If you want 2FA enforcement to take effect during the next sign-in attempt,
...
...
@@ -39,13 +39,13 @@ change the grace period to `0`.
> [Introduced in](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/24965) GitLab 12.0, 2FA settings for a group are also applied to subgroups.
If you want to enforce 2FA only for certain groups, you can:
If you want to enforce 2FA only for certain groups:
1.Enable it in the group's **Settings > General** page. Navigate to
**Permissions, LFS, 2FA > Two-factor authentication**. You can then select
the **Require all users in this group to setup Two-factor authentication**
option.
1.You can also specify a grace period in the **Time before enforced** option.
1.Go to the group's **Settings > General** page.
1. Expand the **Permissions, LFS, 2FA** section.
1. Select the **Require all users in this group to setup two-factor authentication** option.
You can also specify a grace period in the **Time before enforced** option.
To change this setting, you need to be administrator or owner of the group.
...
...
@@ -67,8 +67,12 @@ The following are important notes about 2FA:
2FA enabled, 2FA is **not** required for those individually added members.
- If there are multiple 2FA requirements (for example, group + all users, or multiple
groups) the shortest grace period is used.
- It is possible to disallow subgroups from setting up their own 2FA requirements.
Navigate to the top-level group's **Settings > General > Permissions, LFS, 2FA > Two-factor authentication** and uncheck the **Allow subgroups to set up their own two-factor authentication rule** field. This action causes all subgroups with 2FA requirements to stop requiring that from their members.
- It is possible to disallow subgroups from setting up their own 2FA requirements:
1. Go to the top-level group's **Settings > General**.
1. Expand the **Permissions, LFS, 2FA** section.
1. Uncheck the **Allow subgroups to set up their own two-factor authentication rule** field.
This action causes all subgroups with 2FA requirements to stop requiring that from their members.
## Disabling 2FA for everyone
...
...
@@ -93,18 +97,6 @@ WARNING:
This is a permanent and irreversible action. Users have to
reactivate 2FA from scratch if they want to use it again.
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
one might have when setting this up, or when something is changed, or on upgrading, it's
important to describe those, too. Think of things that may go wrong and include them here.
This is important to minimize requests for support, and to avoid doc comments with
questions that you know someone might ask.
Each scenario can be a third-level heading, e.g. `### Getting error message X`.
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->
## Two-factor Authentication (2FA) for Git over SSH operations **(PREMIUM)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/270554) in GitLab 13.7.
...
...
@@ -157,3 +149,15 @@ The feature flag affects these features:
-[Two-factor Authentication (2FA) for Git over SSH operations](#two-factor-authentication-2fa-for-git-over-ssh-operations).
-[Customize session duration for Git Operations when 2FA is enabled](../user/admin_area/settings/account_and_limit_settings.md#customize-session-duration-for-git-operations-when-2fa-is-enabled).
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
one might have when setting this up, or when something is changed, or on upgrading, it's
important to describe those, too. Think of things that may go wrong and include them here.
This is important to minimize requests for support, and to avoid doc comments with
questions that you know someone might ask.
Each scenario can be a third-level heading, e.g. `### Getting error message X`.
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20912) in GitLab 12.6.
GitLab administrators are responsible for the overall security of their instance. To assist, GitLab provides a Credentials inventory to keep track of all the credentials that can be used to access their self-managed instance.
GitLab administrators are responsible for the overall security of their instance. To assist, GitLab
provides a Credentials inventory to keep track of all the credentials that can be used to access
their self-managed instance.
Using Credentials inventory, you can see all the personal access tokens (PAT), SSH keys, and GPG keys
that exist in your GitLab instance. In addition, you can [revoke](#revoke-a-users-personal-access-token)
...
...
@@ -21,7 +23,10 @@ and [delete](#delete-a-users-ssh-key) and see:
- When they expire. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214809) in GitLab 13.2.
- When they were revoked. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214809) in GitLab 13.2.
To access the Credentials inventory, navigate to **Admin Area > Credentials**.
To access the Credentials inventory:
1. On the top bar, select **Menu >****{admin}****Admin**.
1. On the left sidebar, select **Credentials**.
The following is an example of the Credentials inventory page:
If you have [sign-up enabled](../../admin_area/settings/sign_up_restrictions.md), users can create their own accounts by selecting "Register now" on the sign-in page, or navigate to `https://gitlab.example.com/users/sign_up`.
If you have [sign-up enabled](../../admin_area/settings/sign_up_restrictions.md), users can create
their own accounts by either:
- Selecting the **Register now** link on the sign-in page.
- Navigating to `https://gitlab.example.com/users/sign_up`.
![Register Tab](img/register_v13_6.png)
## Create users in Admin Area
As an admin user, you can manually create users by:
As an Admin user, you can manually create users:
1. Navigating to **Admin Area > Overview > Users** (`/admin/users` page).
1. Selecting the **New User** button.
1. On the top bar, select **Menu >****{admin}****Admin**.
1. On the left sidebar, select **Overview > Users** (`/admin/users`).
1. Select **New user**.
You can also [create users through the API](../../../api/users.md) as an admin.
...
...
@@ -33,9 +38,11 @@ You can also [create users through the API](../../../api/users.md) as an admin.
## Create users through authentication integrations
Users will be:
Users are:
- Automatically created upon first sign in with the [LDAP integration](../../../administration/auth/ldap/index.md).
- Created when first signing in via an [OmniAuth provider](../../../integration/omniauth.md) if the `allow_single_sign_on` setting is present.
- Created when first signing with [Group SAML](../../group/saml_sso/index.md)
- Automatically created by [SCIM](../../group/saml_sso/scim_setup.md) when the user is created in the identity provider.
- Created when first signing in using an [OmniAuth provider](../../../integration/omniauth.md) if
the `allow_single_sign_on` setting is present.
- Created when first signing with [Group SAML](../../group/saml_sso/index.md).
- Automatically created by [SCIM](../../group/saml_sso/scim_setup.md) when the user is created in