Merge branch 'docs/visibility-and-access-controls-port-from-ce' into 'master'

Update Admin Area's "Visibility and access controls" settings docs Closes #32109 See merge request gitlab-org/gitlab!16873

Merge branch 'docs/visibility-and-access-controls-port-from-ce' into 'master'
Update Admin Area's "Visibility and access controls" settings docs Closes #32109 See merge request gitlab-org/gitlab!16873
dd63fda6 · Evan Read · 2c829f94 · 186ca9c3 · 2c829f94 · dd63fda6
Commit dd63fda6 authored Sep 29, 2019 by Evan Read
7 changed files
--- a/doc/public_access/img/restrict_visibility_levels.png
+++ b/doc/public_access/img/restrict_visibility_levels.png
--- a/doc/public_access/public_access.md
+++ b/doc/public_access/public_access.md
@@ -4,7 +4,7 @@ type: reference

 # Public access

-GitLab allows [Owners](../user/permissions.md) to set a projects' visibility as **public**, **internal**
+GitLab allows [Owners](../user/permissions.md) to set a project's visibility as **public**, **internal**,
 or **private**. These visibility levels affect who can see the project in the
 public access directory (`/public` under your GitLab instance), like at <https://gitlab.com/public>

@@ -12,7 +12,7 @@ public access directory (`/public` under your GitLab instance), like at <https:/

 ### Public projects

-Public projects can be cloned **without any** authentication over https.
+Public projects can be cloned **without any** authentication over HTTPS.

 They will be listed in the public access directory (`/public`) for all users.

@@ -43,8 +43,8 @@ They will appear in the public access directory (`/public`) for project members

 ### How to change project visibility

-1. Go to your project's **Settings**
-1. Change "Visibility Level" to either Public, Internal or Private
+1. Go to your project's **Settings**.
+1. Change **Visibility Level** to either Public, Internal, or Private.

 ## Visibility of groups

@@ -71,15 +71,12 @@ If the public level is restricted, user profiles are only visible to logged in u

 ## Restricting the use of public or internal projects

-In the Admin area under **Settings** (`/admin/application_settings`), you can
-restrict the use of visibility levels for users when they create a project or a
-snippet:
-
-![Restrict visibility levels](img/restrict_visibility_levels.png)
-
-This is useful to prevent people exposing their repositories to public
+You can restrict the use of visibility levels for users when they create a project or a
+snippet. This is useful to prevent users from publicly exposing their repositories
 by accident. The restricted visibility settings do not apply to admin users.

+For details, see [Restricted visibility levels](../user/admin_area/settings/visibility_and_access_controls.md#restricted-visibility-levels).
+
 <!-- ## Troubleshooting

 Include any troubleshooting steps that you can foresee. If you know beforehand what issues

--- a/doc/user/admin_area/settings/img/access_restrictions.png
+++ b/doc/user/admin_area/settings/img/access_restrictions.png
--- a/doc/user/admin_area/settings/img/import_sources.png
+++ b/doc/user/admin_area/settings/img/import_sources.png
--- a/doc/user/admin_area/settings/visibility_and_access_controls.md
+++ b/doc/user/admin_area/settings/visibility_and_access_controls.md
@@ -4,15 +4,7 @@ type: reference

 # Visibility and access controls **(CORE ONLY)**

-GitLab allows administrators to:
-
- Control access and visibility to GitLab resources including branches and projects.
- Select from which hosting sites code can be imported into GitLab.
- Select the protocols permitted to access GitLab.
- Enable or disable repository mirroring.
- Prevent non-administrators from deleting projects
-  ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/5615) in GitLab 12.0).
-  **(PREMIUM ONLY)**
+GitLab allows administrators to enforce specific controls.

 To access the visibility and access control options:

@@ -20,29 +12,111 @@ To access the visibility and access control options:
 1. Go to **Admin Area > Settings > General**.
 1. Expand the **Visibility and access controls** section.

+## Default branch protection
+
+Branch protection specifies which roles can push to branches and which roles can delete
+branches.
+
+To change the default branch protection:
+
+1. Select the desired option.
+1. Click **Save changes**.
+
+For more details, see [Protected branches](../../project/protected_branches.md).
+
+## Default project creation protection
+
+Project creation protection specifies which roles can create projects.
+
+To change the default project creation protection:
+
+1. Select the desired option.
+1. Click **Save changes**.
+
+For more details, see [Default project-creation level](../../group/index.md#default-project-creation-level).
+
+## Default project deletion protection
+
+By default, a project can be deleted by anyone with the **Owner** role, either at the project or
+group level.
+
+To ensure only admin users can delete projects:
+
+1. Check the **Default project deletion protection** checkbox.
+1. Click **Save changes**.
+
+## Default project visibility
+
+To set the default visibility levels for new projects:
+
+1. Select the desired default project visibility.
+1. Click **Save changes**.
+
+For more details on project visibility, see [Public access](../../../public_access/public_access.md).
+
+## Default snippet visibility
+
+To set the default visibility levels for new snippets:
+
+1. Select the desired default snippet visibility.
+1. Click **Save changes**.
+
+For more details on snippet visibility, see [Public access](../../../public_access/public_access.md).
+
+## Default group visibility
+
+To set the default visibility levels for new groups:
+
+1. Select the desired default group visibility.
+1. Click **Save changes**.
+
+For more details on group visibility, see [Public access](../../../public_access/public_access.md).
+
+## Restricted visibility levels
+
+To set the available visibility levels for new projects and snippets:
+
+1. Check the desired visibility levels.
+1. Click **Save changes**.
+
+For more details on project visibility, see [Public access](../../../public_access/public_access.md).
+
 ## Import sources

-Choose from which hosting sites users can
-[import their projects](../../project/import/index.md).
+To specify from which hosting sites users can [import their projects](../../project/import/index.md):
+
+1. Check the checkbox beside the name of each hosting site.
+1. Click **Save changes**.

-![import sources](img/import_sources.png)
+## Project export
+
+To enable project export:
+
+1. Check the **Project export enabled** checkbox.
+1. Click **Save changes**.
+
+For more details, see [Exporting a project and its data](../../../user/project/settings/import_export.md#exporting-a-project-and-its-data).

 ## Enabled Git access protocols

-> [Introduced][ce-4696] in GitLab 8.10.
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/4696) in GitLab 8.10.

 With GitLab's access restrictions, you can select with which protocols users can communicate with
 GitLab.

-From the **Enabled Git access protocols** dropdown, select one of the following:
+Disabling an access protocol does not block access to the server itself via those ports. The ports
+used for the protocol, SSH or HTTP, will still be accessible. The GitLab restrictions apply at the
+application level.

- Both SSH and HTTP(S)
- Only SSH
- Only HTTP(s)
+To specify the enabled Git access protocols:

-![Settings Overview](img/access_restrictions.png)
+1. Select the desired Git access protocols from the dropdown:
+   - Both SSH and HTTP(S)
+   - Only SSH
+   - Only HTTP(S)
+1. Click **Save changes**.

-When both SSH and HTTP(S) are enabled, your users can choose either protocol.
+When both SSH and HTTP(S) are enabled, users can choose either protocol.

 When only one protocol is enabled:

@@ -57,18 +131,24 @@ On top of these UI restrictions, GitLab will deny all Git actions on the protoco
 not selected.

 CAUTION: **Important:**
-Starting with [GitLab 10.7][ce-18021], HTTP(s) protocol will be allowed for
-Git clone/fetch requests done by GitLab Runner from CI/CD Jobs, even if
-_Only SSH_ was selected.
+Starting with [GitLab 10.7](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18021),
+HTTP(S) protocol will be allowed for Git clone or fetch requests done by GitLab Runner
+from CI/CD jobs, even if _Only SSH_ was selected.

-> **Note:** Please keep in mind that disabling an access protocol does not actually
-block access to the server itself. The ports used for the protocol, be it SSH or
-HTTP, will still be accessible. What GitLab does is restrict access on the
-application level.
+## RSA, DSA, ECDSA, ED25519 SSH keys
+
+These options specify the permitted types and lengths for SSH keys.
+
+To specify a restriction for each key type:
+
+1. Select the desired option from the dropdown.
+1. Click **Save changes**.
+
+For more details, see [SSH key restrictions](../../../security/ssh_keys_restrictions.md).

 ## Allow mirrors to be set up for projects

-> [Introduced][ee-3586] in GitLab 10.3.
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/3586) in GitLab 10.3.

 This option is enabled by default. By disabling it, both pull and push mirroring will no longer
 work in every repository and can only be re-enabled by an admin on a per-project basis.
@@ -86,7 +166,3 @@ questions that you know someone might ask.
 Each scenario can be a third-level heading, e.g. `### Getting error message X`.
 If you have none to add when creating a doc, leave this section in place
 but commented out to help encourage others to add to it in the future. -->
-
-[ce-4696]: https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/4696
-[ce-18021]: https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/18021
-[ee-3586]: https://gitlab.com/gitlab-org/gitlab/merge_requests/3586
--- a/doc/user/group/index.md
+++ b/doc/user/group/index.md
@@ -182,14 +182,17 @@ There are two different ways to add a new project to a group:
 > Brought to [GitLab Starter][ee] in 10.7.
 > [Moved](https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/25975) to [GitLab Core](https://about.gitlab.com/pricing/) in 11.10.

-Group owners and administrators can allow users with the
-Developer role to create projects under groups.
+By default, [Developers and Maintainers](../permissions.md#group-members-permissions) can create projects under a group.

-By default, [Developers and Maintainers](../permissions.md#group-members-permissions) can create projects under a group. You can change this setting for a specific group within the group settings, or
-you can set this option globally in the Admin area
-at **Settings > General > Visibility and access controls** (you must be a GitLab administrator).
+To change this setting for a specific group:

-Available settings are `No one`, `Maintainers`, or `Developers + Maintainers`.
+1. Go to the group's page.
+1. Go to **Settings > General**.
+1. Expand the **Permissions, LFS, 2FA** section.
+1. Select the desired option in the **Allowed to create projects** dropdown list.
+1. Click **Save changes**.
+
+To change this setting globally, see [Default project creation protection](../admin_area/settings/visibility_and_access_controls.md#default-project-creation-protection).

 ## Transfer projects into groups


--- a/doc/user/project/protected_branches.md
+++ b/doc/user/project/protected_branches.md
@@ -23,6 +23,8 @@ A GitLab admin is allowed to push to the protected branches.

 See the [Changelog](#changelog) section for changes over time.

+The default branch protection level is set in the [Admin Area](../admin_area/settings/visibility_and_access_controls.md#default-branch-protection).
+
 ## Configuring protected branches

 To protect a branch, you need to have at least Maintainer permission level. Note