Configure access to the GitLab Duo Agent Platform
- Tier: Free, Premium, Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
You can turn GitLab Duo on or off for a group, or restrict access to GitLab Duo and Agent Platform to specific groups only.
Give access to Agent Platform features
Prerequisites:
- The Owner role for the top-level group.
To give access to specific Agent Platform features for a top-level group:
In the top bar, select Search or go to and find your group.
Select Settings > GitLab Duo.
Select Change configuration.
Under Limit access based on group membership, select Add group.
From the dropdown list, select an existing subgroup.
When you add the first group, a default All eligible users rule is also added. You can use this rule to configure access for all other users. This rule is automatically deleted when it has no access to GitLab Duo or Agent Platform and all existing groups are removed.
Select the features that direct group members can access.
Select Save changes.
These settings apply to:
- Users who are direct members of one of the configured groups under Limit access based on group membership, and they are executing an AI action in a project or group within this top-level group.
- Users who have the top-level group as the default GitLab Duo namespace, and they are not a member of the top-level group where the AI action is taking place.
When you configure group-based access controls, you can select only groups that are direct subgroups of the top-level group. You cannot use nested subgroups in access control rules.
If groups are configured, users must be direct members of one of those groups to have access to GitLab Duo and Agent Platform features or you can use the All eligible users configuration. Access is additionally determined by other access methods.
Prerequisites:
- Administrator access.
To give access to specific Agent Platform features for an instance:
In the upper-right corner, select Admin.
In the left sidebar, select GitLab Duo.
Select Change configuration.
Under Limit access based on group membership, select Add group.
From the dropdown list, select an existing group.
When you add the first group, a default All eligible users rule is also added. You can use this rule to configure access for all other users. This rule is automatically deleted when it has no access to GitLab Duo or Agent Platform and all existing groups are removed.
Select the features that direct group members can access.
Select Save changes.
These settings apply to users who are direct members of one of the configured groups under Limit access based on group membership. The user can now access these features when they are turned on.
When you configure group-based access controls, you can select only top-level groups. You cannot use subgroups in access control rules.
If groups are configured, users must be direct members of one of those groups to have access to GitLab Duo and Agent Platform features or you can use the All eligible users configuration. Access is additionally determined by other access methods.
If you do not want to manually manage group membership, you can synchronize membership by using LDAP or SAML.
Group membership
When a user is assigned to more than one group, they access features from all assigned groups. For example:
- In group A, the user has access to GitLab Duo features only.
- In group B, the user has access to Agent Platform only.
In this example, the user has access to both GitLab Duo features and Agent Platform.
If All eligible users is configured:
- On GitLab.com: All members of the top-level group can access GitLab Duo and Agent Platform features.
- On GitLab Self-Managed: All users can access GitLab Duo and Agent Platform features.
Additional controls (such as disabling features for the top-level group or instance) still apply.
Synchronize group membership
If you use LDAP or SAML for authentication, you can synchronize group membership automatically:
- Configure your LDAP or SAML provider to include a group that represents Agent Platform users.
- In GitLab, ensure the group is linked to your LDAP or SAML provider.
- Group membership updates automatically when users are added or removed from the provider group.
For more information, see:
Using access control
You can use access control for phased rollouts or testing and validation.
Phased rollouts
To implement a phased rollout of GitLab Duo or Agent Platform:
- Create a group for pilot users (for example,
pilot-users). - Add a subset of users to this group.
- Add more users to the group gradually as you validate functionality and train users.
- Add all users to the group when you’re ready for a full rollout.
Testing and validation
To test GitLab Duo or Agent Platform capabilities in a controlled environment:
- Create a dedicated group for testing (for example,
agent-testers). - Create a test group or project.
- Add test users to the
agent-testersgroup. - Validate functionality and train users before a broader rollout.
Troubleshooting
User cannot access GitLab Duo or Agent Platform features
If a user cannot access GitLab Duo or Agent Platform features, it might be because GitLab Duo or Agent Platform is either:
- Not configured for the group the user is a direct member of.
- Configured, but either:
- The user is not a direct member of the group.
- The All eligible users rule is not configured accordingly.
To resolve this issue, either:
- Add the user to a configured group: Add the user as a direct member to one of the configured groups.
- Activate GitLab Duo or Agent Platform for the All eligible users rule, so that users who are not members of the group receive access to the features.
- Remove all group membership access rules.
GitLab Duo sidebar does not display for certain groups
In GitLab 18.8 and earlier, if you give a group access to Agent Platform but not to GitLab Duo, the GitLab Duo sidebar does not display for members of that group. As a workaround, ensure the group has access to both GitLab Duo and Agent Platform features.
To resolve this issue, upgrade to GitLab 18.9 or later.