Merge request requires approval from users without project access

Description

  • Users without access to a project or merge request appear in the list of eligible approvers if they are direct members of an approver group.
  • In some cases, the only listed eligible approver may not have access to the project, potentially blocking the merge.

Environment

This occurs in projects using a merge request approval policy

Impacted offerings:

  • GitLab.com
  • GitLab Dedicated
  • GitLab Self-Managed

Solution

This behavior is working as designed.

Workaround

To mitigate the issue:

  • Ensure the approver group is in the same path as the project or explicitly share the project with the approver group.
  • Review and adjust group memberships to align with project access requirements.
  • Consider using custom security roles to manage approver access more granularly.

Cause

GitLab's current implementation adds all direct members of an approver group as eligible approvers, regardless of their project access. This behavior is documented but can lead to confusion in certain organizational structures

Related Links

Merge request approvals documentation Custom roles Groups need explicit or inherited Developer role on a project

On this page...