diff --git a/ee/lib/api/ldap_group_links.rb b/ee/lib/api/ldap_group_links.rb
index b1a77cf5c33de61f13fb160606fa01f53783d19a..7c8285065166c464bb1d50772cbf3b40a4986eeb 100644
--- a/ee/lib/api/ldap_group_links.rb
+++ b/ee/lib/api/ldap_group_links.rb
@@ -45,7 +45,7 @@ class LdapGroupLinks < ::API::Base
       params do
         optional 'cn', type: String, desc: 'The CN of a LDAP group'
         optional 'filter', type: String, desc: 'The LDAP filter for the group'
-        requires 'group_access', type: Integer, values: Gitlab::Access.all_values,
+        requires 'group_access', type: Integer, values: Gitlab::Access.values_with_minimal_access,
           desc: 'Access level for members of the LDAP group'
         requires 'provider', type: String, desc: 'LDAP provider for the LDAP group link'
         optional 'member_role_id', type: Integer, desc: 'The ID of the Member Role for members of the LDAP group'
diff --git a/ee/spec/requests/api/ldap_group_links_spec.rb b/ee/spec/requests/api/ldap_group_links_spec.rb
index 9660228ea5657816ffa04fe913f1cabf0b52445b..098b09f208f95e6078cf64cc395428dfb45d7aba 100644
--- a/ee/spec/requests/api/ldap_group_links_spec.rb
+++ b/ee/spec/requests/api/ldap_group_links_spec.rb
@@ -252,6 +252,38 @@
         end
       end
     end
+
+    it 'allows creating Minimal Access group access LDAP group links' do
+      expect do
+        post(
+          api("/groups/#{group_with_ldap_links.id}/ldap_group_links", owner),
+          params: {
+            cn: 'ldap-group',
+            group_access: ::Gitlab::Access::MINIMAL_ACCESS,
+            provider: 'ldap2'
+          }
+        )
+      end.to change { group_with_ldap_links.ldap_group_links.count }.by(1)
+
+      expect(response).to have_gitlab_http_status(:created)
+      expect(json_response['group_access']).to eq(::Gitlab::Access::MINIMAL_ACCESS)
+    end
+
+    it 'denies creating random group access LDAP group links' do
+      expect do
+        post(
+          api("/groups/#{group_with_ldap_links.id}/ldap_group_links", owner),
+          params: {
+            cn: 'ldap-group',
+            group_access: 111,
+            provider: 'ldap2'
+          }
+        )
+      end.not_to change { group_with_ldap_links.ldap_group_links.count }
+
+      expect(response).to have_gitlab_http_status(:bad_request)
+      expect(json_response['error']).to eq('group_access does not have a valid value')
+    end
   end
 
   describe 'DELETE /groups/:id/ldap_group_links/:cn' do