docs: gitlab: add note about more restrictive API scope

If `allowed_groups` is not used with GitLab authentication, the *read_user* scope can be used instead of *api*.

docs: gitlab: add note about more restrictive API scope
If `allowed_groups` is not used with GitLab authentication, the *read_user* scope can be used instead of *api*.
5a91e670 · Benoît Knecht · ce804e99 · 5a91e670
Commit 5a91e670 authored Aug 14, 2018 by Benoît Knecht
Show whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

docs/sources/installation/configuration.md
+6 -2

No files found.
--- a/docs/sources/installation/configuration.md
+++ b/docs/sources/installation/configuration.md
@@ -448,8 +448,12 @@ instance, if you access Grafana at `http://203.0.113.31:3000`, you should use
 http://203.0.113.31:3000/login/gitlab
 ```

-Finally, select *api* as the *Scope* and submit the form. You'll get an
-*Application Id* and a *Secret* in return; we'll call them
+Finally, select *api* as the *Scope* and submit the form. Note that if you're
+not going to use GitLab groups for authorization (i.e. not setting
+`allowed_groups`, see below), you can select *read_user* instead of *api* as
+the *Scope*, thus giving a more restricted access to your GitLab API.
+
+You'll get an *Application Id* and a *Secret* in return; we'll call them
 `GITLAB_APPLICATION_ID` and `GITLAB_SECRET` respectively for the rest of this
 section.