- Source: GL_InstanceRole (Unauthenticated)
- Destination: GL_Instance
| Property | Type | Description |
|---|---|---|
| require_admin_approval | bool | Whether newly registered accounts require admin approval before activation |
The non-traversable GL_CanSignUp edge is present when open self-registration is enabled on the GitLab instance (signup_enabled=true). The source is the Unauthenticated instance role — meaning anyone without an account can create one.
The require_admin_approval property modulates the risk: when false, new accounts are immediately active and receive Member-level access; when true, accounts are created in a pending state and must be approved by an administrator before activation, limiting the immediate attack surface.
The absence of this edge indicates that registration is disabled and accounts must be created by administrators, significantly reducing the instance's self-registration attack surface.
graph LR
unauth("fa:fa-user-tie GL_InstanceRole Unauthenticated")
instance("fa:fa-building GL_Instance gitlab.corp.com")
unauth -.->|"GL_CanSignUp (require_admin_approval: false)"| instance