Members' role quotas are not respected for groups
Control: Number of group members must respect a quota · Config key: numberOfGroupMembersMustRespectQuota
📋 What is this?
The number of members assigned to specific roles in a GitLab group does not respect the quotas defined in your Policy controls.
⚠️ Impact
Ignoring role quotas can lead to uncontrolled access to project resources, weakening security and governance policies. For example, if too many users are assigned as Owners or Maintainers, it increases the risk of unauthorized changes and security misconfigurations.
🔧 How to fix
Review and adjust the members' role assignments in the group to comply with the defined quotas. Ensure that only the necessary members have privileges.
# GitLab group members — ❌ Too many Owners# Group > Members:## alice → Owner# bob → Owner# carol → Owner# dave → Owner ← 4 Owners (max allowed: 2)## .plumber.yaml# numberOfGroupMembersMustRespectQuota:# enabled: true# maxOwners: 2# GitLab group members — ✅ Quotas respected# Group > Members:## alice → Owner# bob → Owner# carol → Maintainer ← Downgraded to meet quota# dave → Maintainer ← Downgraded to meet quota## .plumber.yamlcontrols: numberOfGroupMembersMustRespectQuota: enabled: true maxOwners: 2💡 Tips
- Group owners inherit owner access to all projects in the group — limit this role to trusted admins.
- Use subgroups to apply different access policies to different teams.
- Regularly review group membership when team members change roles or leave the organization.
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
numberOfGroupMembersMustRespectQuota:
enabled: trueSee the CLI documentation for the full configuration reference.