Merge remote-tracking branch 'origin/master'

wiki/src/contribute/working_together/GitLab.mdwn

@@ -436,6 +436,22 @@ instance"]].
 The Tails [[system administrators|working_together/roles/sysadmins]]
 administrate this GitLab instance.
 
+## Configuration of GitLab
+
+The configuration of our GitLab instance lives in the private [[!tails_gitlab
+tails/gitlab-config]] GitLab project.
+
+If you have access to this project, you can propose configuration changes:
+push a topic branch and submit a merge request.
+
+This can be useful, for example:
+
+ - to modify group membership when someone joins or leaves a team
+ - to propose new [[!tails_gitlab groups/tails/-/labels desc="group labels"]]
+   shared by all our GitLab projects
+ - to propose a new project under the `tails/` namespace, ensuring our common
+   project settings & permission model are applied
+
 <a id="access-control"></a>
 
 ## Access control
@@ -471,11 +487,13 @@ administrate this GitLab instance.
 
 ### Subjects
 
- - An _admin_ can do anything that other roles can, and:
-   - can delete issues
-   - can edit team membership
+ - An _admin_:
+   - can configure GitLab
+     - As a consequence, an admin can grant themselves
+       any permission they want if an emergency requires it;
+       in other situations, better follow due process to request
+       such status or permissions :)
    - MUST comply with our "Level 3" security policy
-   - can view issues that contain particularly sensitive data
 
  - A _committer_:
    - can push and force-push to any ref in the canonical Git repo,