Members' role quotas are not respected for projects
Control: Number of project members must respect a quota · Config key: numberOfProjectMembersMustRespectQuota
📋 What is this?
The number of members assigned to specific roles in a GitLab project does not respect the quotas defined in your Policy controls.
⚠️ Impact
Ignoring role quotas can lead to uncontrolled access to project resources, weakening security and governance policies. For example, if too many users are assigned as Owners or Maintainers, it increases the risk of unauthorized changes and security misconfigurations.
🔧 How to fix
Review and adjust the members' role assignments in the project to comply with the defined quotas. Ensure that only the necessary members have privileges.
# GitLab project members — ❌ Too many Maintainers# Settings > Members:## alice → Owner# bob → Maintainer# carol → Maintainer# dave → Maintainer# eve → Maintainer ← 4 Maintainers (max allowed: 2)## .plumber.yaml# numberOfProjectMembersMustRespectQuota:# enabled: true# maxMaintainers: 2# GitLab project members — ✅ Quotas respected# Settings > Members:## alice → Owner# bob → Maintainer# carol → Maintainer# dave → Developer ← Downgraded to meet quota# eve → Developer ← Downgraded to meet quota## .plumber.yamlcontrols: numberOfProjectMembersMustRespectQuota: enabled: true maxMaintainers: 2💡 Tips
- Regularly audit project members and their roles using GitLab's member management page.
- Use GitLab groups to manage access at scale instead of adding individual project members.
- Follow the principle of least privilege: grant members the minimum role needed for their tasks.
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
numberOfProjectMembersMustRespectQuota:
enabled: trueSee the CLI documentation for the full configuration reference.