Grant internal status to single users


We would like to setup a Gitlab installation where the majority of users can see each other repositories (like if they were internal), but some other users (think at them as guests) are only able to see the repositories he has been granted membership on.

Is this possible?

Yes this is very possible. Have a look at the the permissions part of the documentation.

I don’t see how this can be achieved with the default sets of permissions, but maybe I overlooked them.

Here is a more concrete example.

Assume 10 users: user1, …, user10
And two guest users: guest1, guest2

Every user has some (let’s say 3 repositories):
user1/repoA, user1/repoB, user1/repoC
user2/repoA, …

I would like that user1-10 have read-access to all repositories. If I got it right one possibility is to set the repositories as internal.

Additionally. guest1 and guest2 shouldn’t all the repos, but only the one they have been explicitly added to.
For example guest1 is a Developer in guest5/repoA and guest2 is Developer in guest3/repoC.

If I make internal repositories I think that also guest1 and guest2 will see all the repositories of all users, right?

You can do this not with internal repositories. But you can do it by creating a group that contains all your company users and inviting group to all repo’s. Invite a group to a repo is an EE feature.

Thanks, I didn’t know of this EE feature.
But I think that this wouldn’t be optimal either, because the owner of the project has to invite the group. The internal status we can automatically enforce in the admin interface.

For the moment we are trying to achieve something like what I described in, but even that way seems to have problems.

Maybe an “exclude from internal repo’s” flag for users is something we can consider for the enterprise edition.

This is a good news.

Do you have an idea of how much effort would it be to add this feature ourself (in the community edition)?
I think it could be a property like “can create group” and “is admin”, but then it must be checked when permissions are checked. Is it just a single file to be modified or it might be something propagating a lot?