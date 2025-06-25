Version: 18.x (unreleased)

Discover GitLab Access Patterns with Teleport Identity Security

Gain insights into access patterns within your GitLab account using Identity Security with Access Graph. By scanning all permissions, users, groups, and projects, it provides a visual representation to help enhance the permission model within your GitLab environment. This functionality enables you to answer queries such as:

What projects are accessible to users?

Which users have write permissions to projects?

Access Graph is a feature of the Teleport Identity Security product available to Teleport Enterprise edition customers.

To verify that Access Graph is set up correctly for your cluster, sign in to the Teleport Web UI, click the Policy sidebar button, and then the Browse menu item. Identities, resources, etc. should be listed.

Access Graph synchronizes various GitLab resources, including users, projects and groups. These resources are then visualized using the graph representation detailed in the Access Graph page.

The importing process involves two primary steps:

The Teleport cluster continuously scans the configured GitLab accounts and retrieves the following resources:

Users

Groups

Projects

Group memberships

Project memberships

Once all the necessary resources are fetched, Teleport pushes them to the Access Graph, ensuring that it remains updated with the latest information from your GitLab instance.

Identity Security’s Access Graph feature delves into the resources imported and their relationships, crafting a graphical representation thereof.

A running Teleport Enterprise cluster v14.3.20/v15.3.1/v16.0.0 or later.

Identity Security enabled for your account.

A GitLab instance running GitLab v9.0 or later.

For self-hosted clusters: Ensure that an up-to-date license.pem is used in the Auth Service configuration. A running Access Graph node v1.21.4 or later. Check the Identity Security page for details on how to set up Access Graph. The node running the Access Graph service must be reachable from the Teleport Auth Service.



To set up the GitLab integration, you'll need to create a GitLab token with the following permissions:

read_api

Navigate to your GitLab instance, access the User Settings, and select the Access Tokens option. Create a new token with the read_api scope and copy the generated token. For more information, refer to the GitLab documentation.

The importer will use this token to fetch the necessary resources from your GitLab instance.

warning The GitLab importer will only fetch resources that the token has access to. Ensure that the user associated with the token has the necessary permissions to access/view the resources you want to import. If you're using a GitLab.com account, the importer will only fetch the users who are part of the organization or have access to the projects that the token can access. If you're using a self-hosted GitLab instance, the importer will fetch all resources that the token has access to, including all users who are part of the instance.

The token will be used in the next step to configure the GitLab Sync integration.

To initiate the setup wizard for configuring Gitlab Sync, access the Teleport UI, click the Policy sidebar button, and then click Integrations.

Click the "Setup new integration" button, and then select "Gitlab". You'll be prompted to create a new Teleport Gitlab integration if you haven't configured one already. Alternatively, you can opt for a previously established integration.

You'll be prompted to provide the GitLab token created in Step 1 and the GitLab instance domain. Once the token is successfully validated, you'll be able to see the resources imported in Access Graph.

After the GitLab resources are imported, you can view them in the Access Graph page. The graph representation will show the relationships between users, groups, and projects within your GitLab instance.

Users can have permissions to access a Group or Project. When a user has access to a Group, they inherit permissions to all projects and sub-projects within that group.

You can view the permissions granted to users, groups, and projects by clicking on the respective nodes in the graph.

For example, to view the permissions granted to a user, click on the user node and select View Access from the context menu. This will display the permissions granted to the user and the resources they have access to.

You can also run queries to fetch specific information from the Access Graph, such as:

The following query fetches all projects accessible to a user user :

SELECT * FROM access_path WHERE "identity" = ' user ' AND source = 'Gitlab'

Additionally, you filter projects by the user's access level, owner , maintainer , developer , guest , or reporter by running the following query:

SELECT * FROM access_path WHERE "identity" = ' user ' AND source = 'Gitlab' AND action = 'owner'

Change the action parameter to maintainer , developer , guest , or reporter to fetch the respective projects.

The following query fetches all users with read/write access to a project named project :

SELECT * FROM access_path WHERE "resource" = ' project ' AND source = 'Gitlab'

After setting up the GitLab integration, you can monitor the import process status on the Access Graph's Integrations page. If the import fails, an error message will help identify the issue.

You can also check whether the import process is currently running or has completed successfully by viewing the status.

If you encounter any Unauthorized errors, ensure that the GitLab token has the necessary permissions to access the resources and that the token is valid. If the token has expired, you'll need to create a new token and update the integration settings.

If you encounter any other issues, please ensure that the Teleport cluster can reach the GitLab instance and that the GitLab APIs are accessible.

If you're still facing issues, please inspect the error log on the Access Graph's Integrations page for more details.