diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-25 14:06:11 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-25 14:06:11 -0600 |
| commit | fecf0c0cfb88d0666549e91de4eb4a205b435377 (patch) | |
| tree | 9321af1279cbed53b02d50433f34c74cb6ae5431 | |
| parent | e5142a2786b499291f6e98f328e10a9c44901ad2 (diff) | |
chore: generate a schema with every permissionspice-schema
| -rw-r--r-- | etc/authzd/spice.schema | 2124 |
1 files changed, 2111 insertions, 13 deletions
diff --git a/etc/authzd/spice.schema b/etc/authzd/spice.schema index 0f3494f7..24d8c050 100644 --- a/etc/authzd/spice.schema +++ b/etc/authzd/spice.schema @@ -1,27 +1,2125 @@ -definition user {} +// Comprehensive GitLab SpiceDB Schema +// Based on systematic analysis of 798 GitLab permissions from 487+ policy files +// Includes all permissions from app/policies and ee/app/policies +// Full support for CI_JOB_TOKEN permissions and Custom Roles -definition project { +definition organization { + relation admin: user + relation member: user + relation owner: user + + // Core permissions + permission read = member + admin + owner + permission admin_organization = admin + owner + permission create_group = member + admin + owner + permission admin_compliance_framework = admin + owner + permission admin_external_audit_events = admin + owner + + // Additional organization permissions + permission create_organization = admin + owner + permission admin_instance_external_audit_events = admin + owner + permission read_organization = member + admin + owner + permission read_all_organization_resources = admin + owner + permission admin_service_accounts = admin + owner + permission create_service_account = admin + owner + permission delete_service_account = admin + owner + permission admin_organization_cluster_agent_mapping = admin + owner + permission read_organization_cluster_agent_mapping = member + admin + owner + permission read_organization_user = member + admin + owner + permission update_organization_user = admin + owner + permission remove_user = admin + owner + permission delete_user = admin + owner + permission admin_add_on_purchase = admin + owner + permission manage_destroy = admin + owner +} + +definition group { + relation developer: user + relation group_bot: user relation guest: user + relation maintainer: user + relation organization: organization + relation owner: user + relation parent_group: group relation planner: user relation reporter: user + relation service_account: user + + // Core access permissions + permission read = guest + reporter + developer + maintainer + owner + organization->member + parent_group->read + permission read_group = guest + reporter + developer + maintainer + owner + organization->member + parent_group->read + permission guest_access = guest + reporter + developer + maintainer + owner + permission reporter_access = reporter + developer + maintainer + owner + permission developer_access = developer + maintainer + owner + permission maintainer_access = maintainer + owner + permission owner_access = owner + permission planner_access = planner + reporter + developer + maintainer + owner + permission project_bot_access = group_bot + + // Administrative permissions + permission admin_group = owner + organization->admin_organization + permission admin_group_member = maintainer + owner + permission admin_compliance_framework = owner + organization->admin_compliance_framework + permission admin_epic = reporter + developer + maintainer + owner + permission admin_cicd_variables = maintainer + owner + permission admin_runner = owner + permission admin_vulnerability = developer + maintainer + owner + permission archive_group = owner + permission remove_group = owner + permission change_visibility_level = owner + + // Wiki permissions + permission create_wiki = developer + maintainer + owner + permission admin_wiki = maintainer + owner + permission read_wiki = guest + reporter + developer + maintainer + owner + permission download_wiki_code = reporter + developer + maintainer + owner + + // Milestone and iteration permissions + permission admin_milestone = reporter + developer + maintainer + owner + permission read_milestone = guest + reporter + developer + maintainer + owner + permission create_milestone = reporter + developer + maintainer + owner + permission admin_iteration = reporter + developer + maintainer + owner + permission read_iteration = guest + reporter + developer + maintainer + owner + permission create_iteration = developer + maintainer + owner + permission admin_iteration_cadence = developer + maintainer + owner + permission read_iteration_cadence = guest + reporter + developer + maintainer + owner + permission create_iteration_cadence = developer + maintainer + owner + + // Label permissions + permission admin_label = reporter + developer + maintainer + owner + permission read_label = guest + reporter + developer + maintainer + owner + permission read_group_labels = guest + reporter + developer + maintainer + owner + + // Issue board permissions + permission admin_issue_board = reporter + developer + maintainer + owner + permission read_issue_board = guest + reporter + developer + maintainer + owner + permission admin_issue_board_list = reporter + developer + maintainer + owner + permission read_issue_board_list = guest + reporter + developer + maintainer + owner + + // Epic board permissions (EE) + permission admin_epic_board = reporter + developer + maintainer + owner + permission read_epic_board = guest + reporter + developer + maintainer + owner + permission admin_epic_board_list = reporter + developer + maintainer + owner + permission read_epic_board_list = guest + reporter + developer + maintainer + owner + + // Package and container permissions + permission admin_package = maintainer + owner + permission read_package = guest + reporter + developer + maintainer + owner + permission create_package = developer + maintainer + owner + permission destroy_package = maintainer + owner + permission read_container_image = guest + reporter + developer + maintainer + owner + + // Security permissions + permission read_security_dashboard = reporter + developer + maintainer + owner + permission read_group_security_dashboard = reporter + developer + maintainer + owner + permission access_security_and_compliance = developer + maintainer + owner + permission admin_vulnerability = developer + maintainer + owner + permission read_vulnerability = reporter + developer + maintainer + owner + permission resolve_vulnerability_with_ai = developer + maintainer + owner + + // Analytics permissions + permission read_group_analytics_dashboards = reporter + developer + maintainer + owner + permission view_productivity_analytics = reporter + developer + maintainer + owner + permission read_group_activity_analytics = reporter + developer + maintainer + owner + permission read_group_contribution_analytics = reporter + developer + maintainer + owner + permission read_group_repository_analytics = reporter + developer + maintainer + owner + permission view_group_devops_adoption = reporter + developer + maintainer + owner + permission view_group_ci_cd_analytics = reporter + developer + maintainer + owner + permission read_ci_cd_analytics = reporter + developer + maintainer + owner + permission read_group_build_report_results = reporter + developer + maintainer + owner + permission read_group_coverage_reports = reporter + developer + maintainer + owner + + // Compliance permissions + permission read_compliance_dashboard = reporter + developer + maintainer + owner + permission admin_compliance_pipeline_configuration = owner + permission read_compliance_adherence_report = developer + maintainer + owner + permission read_compliance_violations_report = developer + maintainer + owner + permission read_group_audit_events = owner + + // Member management + permission admin_member_access_request = maintainer + owner + permission read_member_access_request = guest + reporter + developer + maintainer + owner + permission invite_group_members = maintainer + owner + permission override_group_member = owner + permission activate_group_member = maintainer + owner + permission ban_group_member = owner + permission destroy_group_member = owner + permission update_group_member = maintainer + owner + + // Service account permissions + permission admin_service_account_member = owner + permission create_service_account = owner + permission delete_service_account = owner + + // Runner permissions + permission register_group_runners = maintainer + owner + permission admin_group_or_admin_runner = owner + permission read_group_runners = reporter + developer + maintainer + owner + permission read_group_all_available_runners = reporter + developer + maintainer + owner + + // CRM permissions (EE) + permission admin_crm_contact = reporter + developer + maintainer + owner + permission read_crm_contact = guest + reporter + developer + maintainer + owner + permission admin_crm_organization = reporter + developer + maintainer + owner + permission read_crm_organization = guest + reporter + developer + maintainer + owner + + // Custom field permissions (EE) + permission admin_custom_field = owner + permission read_custom_field = guest + reporter + developer + maintainer + owner + + // Deploy token permissions + permission create_deploy_token = maintainer + owner + permission read_deploy_token = maintainer + owner + permission destroy_deploy_token = maintainer + owner + permission manage_deploy_tokens = maintainer + owner + permission update_group_deploy_key = maintainer + owner + permission update_group_deploy_key_for_group = maintainer + owner + + // Dependency proxy permissions + permission admin_dependency_proxy = owner + permission read_dependency_proxy = guest + reporter + developer + maintainer + owner + + // AI/Duo permissions + permission access_duo_features = developer + maintainer + owner + permission access_duo_chat = developer + maintainer + owner + permission access_ai_review_mr = developer + maintainer + owner + permission admin_duo_workflow = owner + permission read_duo_workflow = developer + maintainer + owner + permission update_duo_workflow = maintainer + owner + permission destroy_duo_workflow = owner + permission execute_duo_workflow_in_ci = developer + maintainer + owner + + // Group settings permissions + permission change_share_with_group_lock = owner + permission change_prevent_sharing_groups_outside_hierarchy = owner + permission change_prevent_group_forking = owner + permission set_emails_disabled = owner + permission set_show_diff_preview_in_email = owner + permission change_new_user_signups_cap = owner + permission change_seat_control = owner + + // Additional permissions + permission create_projects = maintainer + owner + permission transfer_projects = owner + permission import_projects = owner + permission admin_namespace = owner + permission read_namespace = guest + reporter + developer + maintainer + owner + permission admin_namespace_cluster_agent_mapping = owner + permission read_namespace_cluster_agent_mapping = guest + reporter + developer + maintainer + owner + permission create_subgroup = owner + permission list_subgroup_epics = reporter + developer + maintainer + owner + permission admin_integrations = owner + permission read_group_member = guest + reporter + developer + maintainer + owner + permission read_group_metadata = guest + reporter + developer + maintainer + owner + permission read_group_activity = guest + reporter + developer + maintainer + owner + permission read_group_issues = guest + reporter + developer + maintainer + owner + permission read_group_merge_requests = guest + reporter + developer + maintainer + owner + permission read_group_milestones = guest + reporter + developer + maintainer + owner + permission read_group_boards = guest + reporter + developer + maintainer + owner + permission read_group_release_stats = reporter + developer + maintainer + owner + permission read_group_credentials_inventory = owner + permission admin_group_credentials_inventory = owner + permission create_custom_emoji = developer + maintainer + owner + permission read_custom_emoji = guest + reporter + developer + maintainer + owner + permission delete_custom_emoji = owner + permission upload_file = guest + reporter + developer + maintainer + owner + permission read_upload = guest + reporter + developer + maintainer + owner + permission destroy_upload = maintainer + owner + permission admin_upload = owner + permission create_group_stage = owner + permission read_group_stage = guest + reporter + developer + maintainer + owner + permission update_group_stage = owner + permission delete_group_stage = owner + permission admin_ldap_group_links = owner + permission admin_saml_group_links = owner + permission admin_group_saml = owner + permission read_group_saml_identity = owner + permission create_jira_connect_subscription = owner + permission read_billable_member = owner + permission read_billing = owner + permission edit_billing = owner + permission start_trial = owner + permission admin_licensed_seat = owner + permission update_subscription_limit = owner + permission read_usage_quotas = owner + permission admin_push_rules = owner + permission change_push_rules = owner + permission change_commit_committer_check = owner + permission change_commit_committer_name_check = owner + permission change_reject_unsigned_commits = owner + permission change_reject_non_dco_commits = owner + permission enable_secret_push_protection = owner + permission read_saml_user = owner + permission read_limit_alert = owner + permission read_licenses = owner + permission read_dependency = guest + reporter + developer + maintainer + owner + permission read_lifecycle = reporter + developer + maintainer + owner + permission read_counts = reporter + developer + maintainer + owner + permission manage_merge_request_settings = owner + permission update_approval_rule = owner + permission export_group_memberships = owner + permission rollover_issues = owner + permission admin_achievement = owner + permission read_achievement = guest + reporter + developer + maintainer + owner + permission award_achievement = owner + permission read_insights = reporter + developer + maintainer + owner + permission read_resource_access_tokens = maintainer + owner + permission create_resource_access_tokens = owner + permission destroy_resource_access_tokens = owner + permission manage_resource_access_tokens = owner + permission admin_setting_to_allow_resource_access_token_creation = owner + permission read_member_role = guest + reporter + developer + maintainer + owner + permission admin_member_role = owner + permission view_member_roles = guest + reporter + developer + maintainer + owner + permission generate_description = developer + maintainer + owner + permission read_virtual_registry = guest + reporter + developer + maintainer + owner + permission create_virtual_registry = owner + permission update_virtual_registry = owner + permission destroy_virtual_registry = owner + permission create_saved_replies = developer + maintainer + owner + permission read_saved_replies = guest + reporter + developer + maintainer + owner + permission update_saved_replies = developer + maintainer + owner + permission destroy_saved_replies = developer + maintainer + owner + permission admin_value_stream = owner + permission modify_value_stream_dashboard_settings = owner + permission read_internal_note = reporter + developer + maintainer + owner + permission read_note = guest + reporter + developer + maintainer + owner + permission create_note = guest + reporter + developer + maintainer + owner + permission admin_note = maintainer + owner + permission mark_note_as_internal = reporter + developer + maintainer + owner + permission award_emoji = guest + reporter + developer + maintainer + owner + permission admin_web_hook = owner + permission read_web_hook = maintainer + owner + permission manage_devops_adoption_namespaces = owner + permission provision_cloud_runner = owner + permission provision_gke_runner = owner + permission read_runner_cloud_provisioning_info = owner + permission read_runner_gke_provisioning_info = owner + permission use_k = developer + maintainer + owner + permission view_type_of_work_charts = reporter + developer + maintainer + owner + permission view_edit_page = developer + maintainer + owner + permission view_globally = guest + reporter + developer + maintainer + owner + permission summarize_comments = developer + maintainer + owner + permission set_note_created_at = owner + permission set_issue_created_at = owner + permission set_issue_updated_at = owner + permission set_epic_created_at = owner + permission set_epic_updated_at = owner + permission set_show_default_award_emojis = owner + permission set_warn_about_potentially_unwanted_characters = owner + permission measure_comment_temperature = developer + maintainer + owner + permission read_product_analytics = reporter + developer + maintainer + owner + permission modify_product_analytics_settings = owner + permission read_harbor_registry = reporter + developer + maintainer + owner + permission read_cluster = reporter + developer + maintainer + owner + permission admin_cluster = owner + permission create_cluster = owner + permission update_cluster = owner + permission add_cluster = owner + permission read_cluster_agent = reporter + developer + maintainer + owner + permission read_cluster_environments = reporter + developer + maintainer + owner + permission read_prometheus = reporter + developer + maintainer + owner + permission read_grafana = reporter + developer + maintainer + owner + permission admin_protected_environments = owner + permission export_work_items = reporter + developer + maintainer + owner + permission import_work_items = developer + maintainer + owner + permission admin_work_item = reporter + developer + maintainer + owner + permission read_work_item = guest + reporter + developer + maintainer + owner + permission create_work_item = guest + reporter + developer + maintainer + owner + permission update_work_item = reporter + developer + maintainer + owner + permission admin_issue = reporter + developer + maintainer + owner + permission read_issue = guest + reporter + developer + maintainer + owner + permission create_issue = guest + reporter + developer + maintainer + owner + permission update_issue = reporter + developer + maintainer + owner + permission destroy_issue = owner + permission reopen_issue = reporter + developer + maintainer + owner + permission create_task = guest + reporter + developer + maintainer + owner + permission create_key_result = developer + maintainer + owner + permission create_objective = developer + maintainer + owner + permission set_issue_metadata = reporter + developer + maintainer + owner + permission set_work_item_metadata = reporter + developer + maintainer + owner + permission clone_issue = reporter + developer + maintainer + owner + permission clone_work_item = reporter + developer + maintainer + owner + permission move_issue = reporter + developer + maintainer + owner + permission move_work_item = reporter + developer + maintainer + owner + permission admin_merge_request = developer + maintainer + owner + permission update_merge_request = developer + maintainer + owner + permission create_epic_tree_relation = developer + maintainer + owner + permission admin_epic_relation = developer + maintainer + owner + permission admin_epic_link_relation = developer + maintainer + owner + permission admin_epic_tree_relation = developer + maintainer + owner + permission bulk_admin_epic = owner + permission read_epic_iid = guest + reporter + developer + maintainer + owner + permission read_epic_relation = guest + reporter + developer + maintainer + owner + permission read_epic_link_relation = guest + reporter + developer + maintainer + owner + permission set_epic_metadata = reporter + developer + maintainer + owner + permission set_confidentiality = reporter + developer + maintainer + owner + permission create_timelog = reporter + developer + maintainer + owner + permission admin_timelog = owner + permission read_timelog_category = guest + reporter + developer + maintainer + owner + permission read_issuable = guest + reporter + developer + maintainer + owner + permission read_issuable_participables = guest + reporter + developer + maintainer + owner + permission create_todo = guest + reporter + developer + maintainer + owner + permission update_todo = guest + reporter + developer + maintainer + owner + permission read_todo = guest + reporter + developer + maintainer + owner + permission update_subscription = guest + reporter + developer + maintainer + owner + permission reopen_merge_request = developer + maintainer + owner + permission resolve_note = developer + maintainer + owner + permission reposition_note = developer + maintainer + owner + permission request_access = guest + permission withdraw_member_access_request = guest + reporter + developer + maintainer + owner + permission read_shared_with_group = guest + reporter + developer + maintainer + owner + permission update_default_branch_protection = owner + permission update_git_access_protocol = owner + permission update_max_artifacts_size = owner + permission read_statistics = reporter + developer + maintainer + owner + permission read_cycle_analytics = reporter + developer + maintainer + owner + permission read_design_activity = reporter + developer + maintainer + owner + permission read_namespace_via_membership = guest + reporter + developer + maintainer + owner + permission read_nested_project_resources = guest + reporter + developer + maintainer + owner + permission read_namespace_catalog = guest + reporter + developer + maintainer + owner + permission read_dora = reporter + developer + maintainer + owner + permission read_enterprise_ai_analytics = reporter + developer + maintainer + owner + permission read_pro_ai_analytics = reporter + developer + maintainer + owner + permission read_security_inventory = developer + maintainer + owner + permission read_security_configuration = developer + maintainer + owner + permission read_security_orchestration_policies = developer + maintainer + owner + permission read_security_orchestration_policy_project = developer + maintainer + owner + permission update_security_orchestration_policy_project = owner + permission modify_security_policy = owner + permission admin_security_testing = owner + permission enable_continuous_vulnerability_scans = owner + permission configure_secret_detection_validity_checks = owner + permission read_secret_detection_validity_checks_status = developer + maintainer + owner + permission read_secret_push_protection_info = developer + maintainer + owner + permission admin_merge_request_approval_settings = owner + permission modify_approvers_rules = owner + permission modify_merge_request_author_setting = owner + permission modify_merge_request_committer_setting = owner + permission edit_group_approval_rule = owner + permission read_group_approval_rule = reporter + developer + maintainer + owner + permission create_vulnerability_export = developer + maintainer + owner + permission read_vulnerability_export = developer + maintainer + owner + permission read_vulnerability_statistics = reporter + developer + maintainer + owner + permission read_jobs_statistics = reporter + developer + maintainer + owner + permission read_runner_usage = owner + permission read_runners_registration_token = owner + permission update_runners_registration_token = owner + permission read_package_within_public_registries = guest + reporter + developer + maintainer + owner + permission read_code = guest + reporter + developer + maintainer + owner + permission read_resource_state_event = guest + reporter + developer + maintainer + owner + permission read_resource_weight_event = guest + reporter + developer + maintainer + owner + permission read_resource_iteration_event = guest + reporter + developer + maintainer + owner + permission read_resource_milestone_event = guest + reporter + developer + maintainer + owner + permission read_resource_label_event = guest + reporter + developer + maintainer + owner + permission admin_group_model_selection = owner + permission read_event = guest + reporter + developer + maintainer + owner + permission use_quick_actions = guest + reporter + developer + maintainer + owner + permission use_slash_commands = guest + reporter + developer + maintainer + owner + permission receive_notifications = guest + reporter + developer + maintainer + owner +} + +definition project { + relation ci_job_token: ci_job + relation deploy_token: deploy_token relation developer: user + relation group: group + relation guest: user + relation internal_access: user relation maintainer: user + relation namespace: user relation owner: user - relation admin: user + relation planner: user + relation project_bot: user + relation public_access: user:* + relation reporter: user + + // Core access permissions + permission read_project = guest + reporter + developer + maintainer + owner + group->read + namespace->read + public_access + internal_access + permission guest_access = guest + reporter + developer + maintainer + owner + permission reporter_access = reporter + developer + maintainer + owner + permission developer_access = developer + maintainer + owner + permission maintainer_access = maintainer + owner + permission owner_access = owner + permission planner_access = planner + reporter + developer + maintainer + owner + permission public_access = public_access + permission public_user_access = public_access + internal_access + permission project_bot_access = project_bot + permission build_read_project = ci_job_token + permission read_project_for_iids = guest + reporter + developer + maintainer + owner + group->read + + // Administrative permissions + permission admin_project = owner + group->admin_group + permission archive_project = owner + permission remove_project = owner + group->admin_group + permission change_visibility_level = owner + group->admin_group + permission change_namespace = owner + permission rename_project = maintainer + owner + permission set_emails_disabled = owner + permission set_show_diff_preview_in_email = owner + permission set_show_default_award_emojis = owner + permission set_warn_about_potentially_unwanted_characters = owner + permission manage_owners = owner + + // Code and repository permissions + permission read_code = guest + reporter + developer + maintainer + owner + ci_job_token + deploy_token + group->read + permission download_code = guest + reporter + developer + maintainer + owner + ci_job_token + deploy_token + permission build_download_code = guest + ci_job_token + permission download_code_spp_repository = developer + maintainer + owner + permission push_code = developer + maintainer + owner + permission build_push_code = ci_job_token + permission push_code_to_protected_branches = maintainer + owner + permission push_to_delete_protected_branch = maintainer + owner + permission fork_project = reporter + developer + maintainer + owner + permission link_forked_project = developer + maintainer + owner + permission remove_fork_project = owner + + // Wiki permissions + permission create_wiki = developer + maintainer + owner + permission admin_wiki = maintainer + owner + permission read_wiki = guest + reporter + developer + maintainer + owner + permission read_wiki_page = guest + reporter + developer + maintainer + owner + permission download_wiki_code = reporter + developer + maintainer + owner + + // Snippet permissions + permission create_snippet = developer + maintainer + owner + permission admin_snippet = maintainer + owner + permission read_snippet = guest + reporter + developer + maintainer + owner + permission update_snippet = maintainer + owner + + // Milestone permissions + permission admin_milestone = reporter + developer + maintainer + owner + permission read_milestone = guest + reporter + developer + maintainer + owner + permission read_resource_milestone_event = guest + reporter + developer + maintainer + owner + + // Label permissions + permission admin_label = reporter + developer + maintainer + owner + permission read_label = guest + reporter + developer + maintainer + owner + permission read_resource_label_event = guest + reporter + developer + maintainer + owner + + // Branch and tag permissions + permission admin_tag = maintainer + owner + permission delete_tag = maintainer + owner + permission create_branch_rule = maintainer + owner + permission read_branch_rule = guest + reporter + developer + maintainer + owner + permission update_branch_rule = maintainer + owner + permission destroy_branch_rule = owner + permission admin_protected_branch = maintainer + owner + permission create_protected_branch = maintainer + owner + permission read_protected_branch = guest + reporter + developer + maintainer + owner + permission update_protected_branch = maintainer + owner + permission destroy_protected_branch = owner + permission create_protected_tags = maintainer + owner + permission read_protected_tags = guest + reporter + developer + maintainer + owner + permission update_protected_tags = maintainer + owner + permission destroy_protected_tags = owner + permission manage_protected_tags = maintainer + owner + permission admin_target_branch_rule = owner + permission read_target_branch_rule = guest + reporter + developer + maintainer + owner + permission update_squash_option = developer + maintainer + owner + permission create_squash_option = developer + maintainer + owner + permission read_squash_option = guest + reporter + developer + maintainer + owner + permission destroy_squash_option = owner + + // CI/CD permissions + permission read_build = reporter + developer + maintainer + owner + ci_job_token + permission create_build = developer + maintainer + owner + permission update_build = developer + maintainer + owner + permission cancel_build = developer + maintainer + owner + permission erase_build = maintainer + owner + permission play_job = developer + maintainer + owner + permission read_job_artifacts = reporter + developer + maintainer + owner + ci_job_token + permission destroy_artifacts = maintainer + owner + permission admin_build = maintainer + owner + permission create_pipeline = developer + maintainer + owner + ci_job_token + permission create_bot_pipeline = developer + maintainer + owner + permission read_pipeline = guest + reporter + developer + maintainer + owner + permission update_pipeline = developer + maintainer + owner + permission cancel_pipeline = developer + maintainer + owner + permission destroy_pipeline = owner + permission admin_pipeline = maintainer + owner + permission read_pipeline_variable = developer + maintainer + owner + permission set_pipeline_variables = developer + maintainer + owner + permission read_pipeline_metadata = reporter + developer + maintainer + owner + permission admin_cicd_variables = maintainer + owner + group->admin_cicd_variables + permission change_restrict_user_defined_variables = owner + + // Pipeline schedule permissions + permission create_pipeline_schedule = developer + maintainer + owner + permission read_pipeline_schedule = reporter + developer + maintainer + owner + permission update_pipeline_schedule = developer + maintainer + owner + permission admin_pipeline_schedule = maintainer + owner + permission play_pipeline_schedule = developer + maintainer + owner + permission take_ownership_pipeline_schedule = developer + maintainer + owner + permission read_pipeline_schedule_variables = developer + maintainer + owner + permission read_ci_pipeline_schedules_plan_limit = reporter + developer + maintainer + owner + + // Commit status permissions + permission create_commit_status = developer + maintainer + owner + permission read_commit_status = reporter + developer + maintainer + owner + permission update_commit_status = developer + maintainer + owner + permission admin_commit_status = maintainer + owner + + // Issue permissions + permission create_issue = guest + reporter + developer + maintainer + owner + permission read_issue = guest + reporter + developer + maintainer + owner + permission update_issue = reporter + developer + maintainer + owner + permission admin_issue = reporter + developer + maintainer + owner + permission destroy_issue = owner + permission reopen_issue = reporter + developer + maintainer + owner + permission set_issue_iid = owner + permission set_issue_created_at = owner + permission set_issue_updated_at = owner + permission set_issue_metadata = reporter + developer + maintainer + owner + permission set_issue_crm_contacts = reporter + developer + maintainer + owner + permission set_confidentiality = reporter + developer + maintainer + owner + permission read_issue_iid = guest + reporter + developer + maintainer + owner + permission create_incident = reporter + developer + maintainer + owner + permission import_issues = developer + maintainer + owner + permission export_work_items = reporter + developer + maintainer + owner + permission import_work_items = developer + maintainer + owner + permission clone_issue = reporter + developer + maintainer + owner + permission move_issue = reporter + developer + maintainer + owner + permission promote_to_epic = reporter + developer + maintainer + owner + permission read_confidential_issues = reporter + developer + maintainer + owner + permission mark_issue_for_publication = maintainer + owner + + // Work item permissions + permission create_work_item = guest + reporter + developer + maintainer + owner + permission read_work_item = guest + reporter + developer + maintainer + owner + permission update_work_item = reporter + developer + maintainer + owner + permission admin_work_item = reporter + developer + maintainer + owner + permission delete_work_item = owner + permission clone_work_item = reporter + developer + maintainer + owner + permission move_work_item = reporter + developer + maintainer + owner + permission set_work_item_metadata = reporter + developer + maintainer + owner + permission admin_work_item_link = maintainer + owner + permission admin_parent_link = maintainer + owner + permission read_work_item_type = guest + reporter + developer + maintainer + owner + permission read_work_item_status = guest + reporter + developer + maintainer + owner + permission create_task = guest + reporter + developer + maintainer + owner + permission create_key_result = developer + maintainer + owner + permission create_objective = developer + maintainer + owner + + // Issue board permissions + permission admin_issue_board = reporter + developer + maintainer + owner + permission read_issue_board = guest + reporter + developer + maintainer + owner + permission admin_issue_board_list = reporter + developer + maintainer + owner + permission read_issue_board_list = guest + reporter + developer + maintainer + owner + permission create_non_backlog_issues = reporter + developer + maintainer + owner + + // Issue link permissions + permission admin_issue_link = reporter + developer + maintainer + owner + permission read_issue_link = guest + reporter + developer + maintainer + owner + permission admin_issue_relation = reporter + developer + maintainer + owner + permission create_external_issue_link = developer + maintainer + owner + + // Merge request permissions + permission create_merge_request_from = developer + maintainer + owner + permission create_merge_request_in = developer + maintainer + owner + permission read_merge_request = guest + reporter + developer + maintainer + owner + permission update_merge_request = developer + maintainer + owner + permission admin_merge_request = developer + maintainer + owner + permission accept_merge_request = maintainer + owner + permission approve_merge_request = developer + maintainer + owner + permission destroy_merge_request = owner + permission reopen_merge_request = developer + maintainer + owner + permission read_merge_request_iid = guest + reporter + developer + maintainer + owner + permission set_merge_request_metadata = developer + maintainer + owner + permission create_merge_request_approval_rules = maintainer + owner + permission update_approvers = maintainer + owner + permission admin_merge_request_approval_settings = owner + permission reset_merge_request_approvals = maintainer + owner + permission modify_approvers_rules = owner + permission modify_merge_request_author_setting = owner + permission modify_merge_request_committer_setting = owner + permission manage_merge_request_settings = owner + permission read_approval_rule = reporter + developer + maintainer + owner + permission update_approval_rule = maintainer + owner + permission edit_approval_rule = maintainer + owner + permission read_approvers = reporter + developer + maintainer + owner + permission read_merge_request_closing_issue = guest + reporter + developer + maintainer + owner + permission read_merge_train = reporter + developer + maintainer + owner + permission read_merge_train_car = reporter + developer + maintainer + owner + permission delete_merge_train_car = maintainer + owner + + // Design permissions + permission create_design = reporter + developer + maintainer + owner + permission read_design = guest + reporter + developer + maintainer + owner + permission update_design = developer + maintainer + owner + permission destroy_design = developer + maintainer + owner + permission move_design = developer + maintainer + owner + permission read_design_activity = guest + reporter + developer + maintainer + owner + + // Container and package permissions + permission read_container_image = reporter + developer + maintainer + owner + ci_job_token + permission create_container_image = developer + maintainer + owner + permission update_container_image = developer + maintainer + owner + permission admin_container_image = maintainer + owner + permission destroy_container_image = maintainer + owner + permission destroy_container_image_tag = maintainer + owner + permission build_read_container_image = guest + ci_job_token + permission create_container_registry_protection_immutable_tag_rule = owner + permission destroy_container_registry_protection_tag_rule = developer + maintainer + owner + permission enable_container_scanning_for_registry = owner + permission read_package = reporter + developer + maintainer + owner + permission create_package = developer + maintainer + owner + permission destroy_package = maintainer + owner + permission admin_package = maintainer + owner + permission read_package_within_public_registries = guest + reporter + developer + maintainer + owner + permission view_package_registry_project_settings = reporter + developer + maintainer + owner + + // Deploy token permissions + permission create_deploy_token = maintainer + owner + permission read_deploy_token = maintainer + owner + permission destroy_deploy_token = maintainer + owner + permission update_deploy_token = maintainer + owner + permission manage_deploy_tokens = maintainer + owner + + // Environment and deployment permissions + permission create_environment = developer + maintainer + owner + permission read_environment = reporter + developer + maintainer + owner + permission update_environment = developer + maintainer + owner + permission admin_environment = maintainer + owner + permission destroy_environment = developer + maintainer + owner + permission stop_environment = developer + maintainer + owner + permission create_environment_terminal = maintainer + owner + permission create_deployment = developer + maintainer + owner + permission read_deployment = reporter + developer + maintainer + owner + permission update_deployment = developer + maintainer + owner + permission admin_deployment = maintainer + owner + permission destroy_deployment = maintainer + owner + permission approve_deployment = maintainer + owner + permission admin_protected_environments = owner + permission read_freeze_period = reporter + developer + maintainer + owner + permission create_freeze_period = maintainer + owner + permission update_freeze_period = maintainer + owner + permission destroy_freeze_period = maintainer + owner + + // Feature flag permissions + permission create_feature_flag = developer + maintainer + owner + permission read_feature_flag = reporter + developer + maintainer + owner + permission update_feature_flag = developer + maintainer + owner + permission admin_feature_flag = maintainer + owner + permission destroy_feature_flag = developer + maintainer + owner + permission admin_feature_flags_client = maintainer + owner + permission admin_feature_flags_user_lists = maintainer + owner + permission admin_feature_flags_issue_links = maintainer + owner - permission read = developer + maintainer - permission write = maintainer + // Security and vulnerability permissions + permission read_vulnerability = reporter + developer + maintainer + owner + permission admin_vulnerability = developer + maintainer + owner + group->admin_vulnerability + permission create_vulnerability_feedback = developer + maintainer + owner + permission read_vulnerability_feedback = reporter + developer + maintainer + owner + permission update_vulnerability_feedback = developer + maintainer + owner + permission destroy_vulnerability_feedback = developer + maintainer + owner + permission read_vulnerability_scanner = reporter + developer + maintainer + owner + permission read_vulnerability_merge_request_link = reporter + developer + maintainer + owner + permission admin_vulnerability_merge_request_link = developer + maintainer + owner + permission admin_vulnerability_issue_link = developer + maintainer + owner + permission admin_vulnerability_external_issue_link = developer + maintainer + owner + permission create_vulnerability_export = developer + maintainer + owner + permission read_vulnerability_export = developer + maintainer + owner + permission create_vulnerability_archive_export = developer + maintainer + owner + permission read_vulnerability_archive_export = developer + maintainer + owner + permission create_vulnerability_state_transition = developer + maintainer + owner + permission read_vulnerability_representation_information = reporter + developer + maintainer + owner + permission resolve_vulnerability_with_ai = developer + maintainer + owner + permission read_vulnerability_statistics = reporter + developer + maintainer + owner + + // Security scanning permissions + permission access_security_and_compliance = developer + maintainer + owner + permission access_security_scans_api = developer + maintainer + owner + permission read_security_dashboard = reporter + developer + maintainer + owner + permission read_project_security_dashboard = reporter + developer + maintainer + owner + permission add_project_to_instance_security_dashboard = owner + permission read_instance_security_dashboard = owner + permission read_security_configuration = developer + maintainer + owner + permission read_security_orchestration_policies = developer + maintainer + owner + permission read_security_orchestration_policy_project = developer + maintainer + owner + permission update_security_orchestration_policy_project = owner + permission modify_security_policy = owner + permission admin_security_testing = owner + permission manage_security_settings = owner + permission read_security_settings = reporter + developer + maintainer + owner + permission read_security_inventory = developer + maintainer + owner + permission read_security_resource = developer + maintainer + owner + permission read_project_security_exclusions = developer + maintainer + owner + permission manage_project_security_exclusions = owner + permission enable_continuous_vulnerability_scans = owner + permission configure_secret_detection_validity_checks = owner + permission read_secret_detection_validity_checks_status = developer + maintainer + owner + permission read_secret_push_protection_info = developer + maintainer + owner + permission enable_secret_push_protection = owner + permission read_coverage_fuzzing = developer + maintainer + owner + permission create_coverage_fuzzing_corpus = developer + maintainer + owner + + // Release permissions + permission create_release = developer + maintainer + owner + permission read_release = guest + reporter + developer + maintainer + owner + permission update_release = developer + maintainer + owner + permission destroy_release = maintainer + owner + permission read_release_evidence = guest + reporter + developer + maintainer + owner + + // Runner permissions + permission admin_runner = owner + group->admin_runner + permission read_runner = reporter + developer + maintainer + owner + permission update_runner = owner + permission delete_runner = owner + permission assign_runner = maintainer + owner + permission create_runner = maintainer + owner + permission register_project_runners = maintainer + owner + permission admin_project_runners = maintainer + owner + permission read_project_runners = reporter + developer + maintainer + owner + permission read_runners_registration_token = maintainer + owner + permission update_runners_registration_token = maintainer + owner + permission read_runner_usage = owner + permission read_runner_cloud_provisioning_info = owner + permission read_runner_gke_provisioning_info = owner + permission provision_cloud_runner = owner + permission provision_gke_runner = owner + + // Pages permissions + permission admin_pages = maintainer + owner + permission read_pages = maintainer + owner + permission update_pages = maintainer + owner + permission remove_pages = maintainer + owner + permission read_pages_content = guest + reporter + developer + maintainer + owner + permission read_pages_deployments = reporter + developer + maintainer + owner + permission update_pages_deployments = maintainer + owner + permission pages_multiple_versions = maintainer + owner + + // Terraform state permissions + permission read_terraform_state = developer + maintainer + owner + permission admin_terraform_state = maintainer + owner + + // Analytics permissions + permission read_analytics = reporter + developer + maintainer + owner + permission read_insights = reporter + developer + maintainer + owner + permission read_ci_cd_analytics = reporter + developer + maintainer + owner + permission read_code_review_analytics = reporter + developer + maintainer + owner + permission read_issue_analytics = reporter + developer + maintainer + owner + permission read_project_merge_request_analytics = reporter + developer + maintainer + owner + permission read_combined_project_analytics_dashboards = reporter + developer + maintainer + owner + permission read_project_level_value_stream_dashboard_overview_counts = reporter + developer + maintainer + owner + permission view_productivity_analytics = reporter + developer + maintainer + owner + permission read_cycle_analytics = reporter + developer + maintainer + owner + permission read_repository_graphs = reporter + developer + maintainer + owner + permission read_statistics = reporter + developer + maintainer + owner + permission daily_statistics = reporter + developer + maintainer + owner + permission read_build_report_results = reporter + developer + maintainer + owner + permission use_project_statistics_filters = reporter + developer + maintainer + owner + permission admin_value_stream = owner + + // AI/Duo permissions + permission access_duo_features = developer + maintainer + owner + group->access_duo_features + permission access_duo_chat = developer + maintainer + owner + permission access_ai_review_mr = developer + maintainer + owner + permission access_duo_agentic_chat = developer + maintainer + owner + permission access_duo_core_features = developer + maintainer + owner + permission access_description_composer = developer + maintainer + owner + permission access_summarize_new_merge_request = developer + maintainer + owner + permission access_summarize_review = developer + maintainer + owner + permission access_generate_commit_message = developer + maintainer + owner + permission duo_workflow = developer + maintainer + owner + permission trigger_amazon_q = developer + maintainer + owner + permission generate_description = developer + maintainer + owner + permission generate_cube_query = developer + maintainer + owner + permission read_ai_agents = reporter + developer + maintainer + owner + permission write_ai_agents = developer + maintainer + owner + + // Model registry permissions (ML) + permission read_model_experiments = reporter + developer + maintainer + owner + permission write_model_experiments = developer + maintainer + owner + permission read_model_registry = reporter + developer + maintainer + owner + permission write_model_registry = developer + maintainer + owner + + // Observability permissions + permission read_observability = reporter + developer + maintainer + owner + permission write_observability = developer + maintainer + owner + + // Compliance permissions + permission admin_compliance_framework = owner + group->admin_compliance_framework + permission read_compliance_framework = reporter + developer + maintainer + owner + permission read_compliance_dashboard = reporter + developer + maintainer + owner + permission read_compliance_adherence_report = developer + maintainer + owner + permission read_compliance_violations_report = developer + maintainer + owner + permission read_project_audit_events = owner + + // Member and access permissions + permission admin_project_member = maintainer + owner + permission read_project_member = guest + reporter + developer + maintainer + owner + permission update_project_member = maintainer + owner + permission destroy_project_member = owner + permission destroy_project_bot_member = owner + permission invite_member = maintainer + owner + permission invite_project_members = maintainer + owner + permission import_project_members_from_another_project = maintainer + owner + permission admin_member_access_request = maintainer + owner + permission read_member_access_request = guest + reporter + developer + maintainer + owner + permission withdraw_member_access_request = guest + reporter + developer + maintainer + owner + permission override_group_member = owner + permission destroy_group_member = owner + permission destroy_project_group_link = owner + permission manage_group_link_with_owner_access = owner + permission read_shared_with_group = guest + reporter + developer + maintainer + owner + + // Note and comment permissions + permission create_note = guest + reporter + developer + maintainer + owner + permission read_note = guest + reporter + developer + maintainer + owner + permission update_note = guest + reporter + developer + maintainer + owner + permission admin_note = maintainer + owner + permission resolve_note = developer + maintainer + owner + permission reposition_note = developer + maintainer + owner + permission mark_note_as_internal = reporter + developer + maintainer + owner + permission set_note_created_at = owner + permission read_internal_note = reporter + developer + maintainer + owner + permission award_emoji = guest + reporter + developer + maintainer + owner + permission summarize_comments = developer + maintainer + owner + permission measure_comment_temperature = developer + maintainer + owner + + // Webhook permissions + permission admin_web_hook = owner + permission read_web_hook = maintainer + owner + + // Upload permissions + permission upload_file = guest + reporter + developer + maintainer + owner + permission read_upload = guest + reporter + developer + maintainer + owner + permission destroy_upload = maintainer + owner + permission admin_upload = owner + + // Project settings permissions + permission admin_project_aws = owner + permission admin_project_google_cloud = owner + permission admin_project_secrets_manager = owner + permission admin_google_cloud_artifact_registry = owner + permission read_google_cloud_artifact_registry = reporter + developer + maintainer + owner + permission update_max_artifacts_size = owner + permission set_pipeline_variables = developer + maintainer + owner + permission change_commit_committer_check = owner + permission change_commit_committer_name_check = owner + permission read_commit_committer_check = reporter + developer + maintainer + owner + permission read_commit_committer_name_check = reporter + developer + maintainer + owner + permission change_push_rules = owner + permission admin_push_rules = owner + permission change_reject_unsigned_commits = owner + permission change_reject_non_dco_commits = owner + permission read_reject_unsigned_commits = reporter + developer + maintainer + owner + permission read_reject_non_dco_commits = reporter + developer + maintainer + owner + + // Integration permissions + permission admin_integrations = maintainer + owner + permission create_jira_connect_subscription = owner + permission admin_operations = maintainer + owner + permission admin_sentry = maintainer + owner + permission read_sentry_issue = reporter + developer + maintainer + owner + permission update_sentry_issue = developer + maintainer + owner + + // Misc permissions + permission add_catalog_resource = owner + permission publish_catalog_version = developer + maintainer + owner + permission read_namespace_catalog = guest + reporter + developer + maintainer + owner + permission create_project = developer + maintainer + owner + permission request_access = guest + permission read_project_metadata = guest + reporter + developer + maintainer + owner + permission view_edit_page = developer + maintainer + owner + permission metrics_dashboard = reporter + developer + maintainer + owner + permission read_operations_dashboard = owner + permission use_k = developer + maintainer + owner + permission use_quick_actions = guest + reporter + developer + maintainer + owner + permission use_slash_commands = guest + reporter + developer + maintainer + owner + permission create_timelog = reporter + developer + maintainer + owner + permission admin_timelog = owner + permission read_timelog_category = guest + reporter + developer + maintainer + owner + permission create_todo = guest + reporter + developer + maintainer + owner + permission update_todo = guest + reporter + developer + maintainer + owner + permission read_todo = guest + reporter + developer + maintainer + owner + permission update_subscription = guest + reporter + developer + maintainer + owner + permission delete_project_subscription = owner + permission report_spam = guest + reporter + developer + maintainer + owner + permission read_issuable = guest + reporter + developer + maintainer + owner + permission read_issuable_participables = guest + reporter + developer + maintainer + owner + permission read_issuable_resource_link = guest + reporter + developer + maintainer + owner + permission admin_issuable_resource_link = developer + maintainer + owner + permission read_issuable_metric_image = reporter + developer + maintainer + owner + permission update_issuable_metric_image = developer + maintainer + owner + permission upload_issuable_metric_image = developer + maintainer + owner + permission destroy_issuable_metric_image = developer + maintainer + owner + permission read_incident_management_timeline_event = reporter + developer + maintainer + owner + permission admin_incident_management_timeline_event = developer + maintainer + owner + permission edit_incident_management_timeline_event = developer + maintainer + owner + permission read_incident_management_timeline_event_tag = reporter + developer + maintainer + owner + permission admin_incident_management_timeline_event_tag = maintainer + owner + permission read_incident_management_escalation_policy = reporter + developer + maintainer + owner + permission admin_incident_management_escalation_policy = maintainer + owner + permission read_incident_management_oncall_schedule = reporter + developer + maintainer + owner + permission admin_incident_management_oncall_schedule = maintainer + owner + permission update_escalation_status = developer + maintainer + owner + permission read_alert_management_alert = reporter + developer + maintainer + owner + permission update_alert_management_alert = developer + maintainer + owner + permission read_alert_management_metric_image = reporter + developer + maintainer + owner + permission update_alert_management_metric_image = developer + maintainer + owner + permission upload_alert_management_metric_image = developer + maintainer + owner + permission destroy_alert_management_metric_image = developer + maintainer + owner + permission publish_status_page = developer + maintainer + owner + permission rollover_issues = owner + + // Resource access token permissions + permission read_resource_access_tokens = maintainer + owner + permission create_resource_access_tokens = owner + permission destroy_resource_access_tokens = owner + permission manage_resource_access_tokens = owner + permission admin_setting_to_allow_resource_access_token_creation = owner + + // Path lock permissions + permission create_path_lock = developer + maintainer + owner + permission read_path_locks = guest + reporter + developer + maintainer + owner + permission admin_path_locks = maintainer + owner + permission destroy_path_lock = developer + maintainer + owner + + // On-demand DAST scan permissions + permission create_on_demand_dast_scan = developer + maintainer + owner + permission read_on_demand_dast_scan = developer + maintainer + owner + permission edit_on_demand_dast_scan = developer + maintainer + owner + + // Requirement permissions + permission create_requirement = reporter + developer + maintainer + owner + permission read_requirement = reporter + developer + maintainer + owner + permission update_requirement = reporter + developer + maintainer + owner + permission admin_requirement = maintainer + owner + permission destroy_requirement = maintainer + owner + permission import_requirements = developer + maintainer + owner + permission export_requirements = reporter + developer + maintainer + owner + permission create_requirement_test_report = reporter + developer + maintainer + owner + + // Test case permissions + permission create_test_case = reporter + developer + maintainer + owner + + // Secure file permissions + permission read_secure_files = developer + maintainer + owner + permission admin_secure_files = maintainer + owner + + // License policy permissions + permission read_software_license_policy = reporter + developer + maintainer + owner + permission admin_software_license_policy = maintainer + owner + + // Mirror permissions + permission admin_mirror = owner + permission admin_remote_mirror = owner + + // Trigger permissions + permission admin_trigger = owner + permission manage_trigger = owner + + // Cluster permissions + permission read_cluster = reporter + developer + maintainer + owner + permission add_cluster = maintainer + owner + permission create_cluster = maintainer + owner + permission update_cluster = maintainer + owner + permission admin_cluster = owner + permission read_cluster_agent = reporter + developer + maintainer + owner + permission read_cluster_environments = reporter + developer + maintainer + owner + + // Prometheus and monitoring permissions + permission read_prometheus = reporter + developer + maintainer + owner + permission read_grafana = reporter + developer + maintainer + owner + permission read_pod_logs = developer + maintainer + owner + + // Harbor registry permissions + permission read_harbor_registry = reporter + developer + maintainer + owner + + // Build service proxy permissions + permission build_service_proxy_enabled = developer + maintainer + owner + permission create_build_service_proxy = developer + maintainer + owner + + // Web IDE permissions + permission create_web_ide_terminal = developer + maintainer + owner + permission read_web_ide_terminal = developer + maintainer + owner + permission update_web_ide_terminal = developer + maintainer + owner + + // Resource group permissions + permission read_resource_group = reporter + developer + maintainer + owner + permission update_resource_group = developer + maintainer + owner + + // Deploy board permissions + permission read_deploy_board = reporter + developer + maintainer + owner + + // External email permissions + permission read_external_emails = reporter + developer + maintainer + owner + + // Import/Export permissions + permission read_import_error = owner + permission export_work_items = reporter + developer + maintainer + owner + permission import_work_items = developer + maintainer + owner + + // Saved replies permissions + permission create_saved_replies = developer + maintainer + owner + permission read_saved_replies = guest + reporter + developer + maintainer + owner + permission update_saved_replies = developer + maintainer + owner + permission destroy_saved_replies = developer + maintainer + owner + + // Other permissions + permission cache_blob = guest + reporter + developer + maintainer + owner + permission read_blob = guest + reporter + developer + maintainer + owner + permission read_commit = guest + reporter + developer + maintainer + owner + permission read_build_trace = developer + maintainer + owner + permission read_build_metadata = developer + maintainer + owner + permission jailbreak = owner + permission build_read_container_image = guest + ci_job_token + permission apply_suggestion = developer + maintainer + owner + permission read_project_subscription = guest + reporter + developer + maintainer + owner + permission read_storage_disk_path = owner + permission read_dora = reporter + developer + maintainer + owner + permission read_product_analytics = reporter + developer + maintainer + owner + permission modify_product_analytics_settings = owner + permission read_counts = reporter + developer + maintainer + owner + permission read_dependency = guest + reporter + developer + maintainer + owner + permission read_lifecycle = reporter + developer + maintainer + owner + permission read_usage_quotas = owner + permission read_limit_alert = owner + permission read_licenses = owner + permission read_scan = developer + maintainer + owner + permission read_event = guest + reporter + developer + maintainer + owner + permission read_parent = guest + reporter + developer + maintainer + owner + permission read_namespace = guest + reporter + developer + maintainer + owner + permission read_namespace_via_membership = guest + reporter + developer + maintainer + owner + permission read_nested_project_resources = guest + reporter + developer + maintainer + owner + permission view_globally = guest + reporter + developer + maintainer + owner + permission receive_notifications = guest + reporter + developer + maintainer + owner + permission read_enterprise_ai_analytics = reporter + developer + maintainer + owner + permission read_pro_ai_analytics = reporter + developer + maintainer + owner + permission read_component = guest + reporter + developer + maintainer + owner + permission read_component_version = guest + reporter + developer + maintainer + owner + permission read_application_setting = owner + permission read_resource_state_event = guest + reporter + developer + maintainer + owner + permission read_resource_weight_event = guest + reporter + developer + maintainer + owner + permission read_resource_iteration_event = guest + reporter + developer + maintainer + owner + permission read_resource_milestone_event = guest + reporter + developer + maintainer + owner + permission read_resource_label_event = guest + reporter + developer + maintainer + owner + permission read_deploy_key = maintainer + owner + permission update_deploy_key = maintainer + owner + permission update_deploy_key_title = maintainer + owner + permission update_deploy_keys_project = maintainer + owner + permission read_custom_emoji = guest + reporter + developer + maintainer + owner + permission create_custom_emoji = developer + maintainer + owner + permission delete_custom_emoji = owner + permission read_external_status_check = reporter + developer + maintainer + owner + permission read_external_status_check_response = developer + maintainer + owner + permission provide_status_check_response = developer + maintainer + owner + permission retry_failed_status_checks = developer + maintainer + owner + permission read_jobs_statistics = reporter + developer + maintainer + owner + permission read_finding_token_status = developer + maintainer + owner + permission read_ci_minutes_limited_summary = reporter + developer + maintainer + owner + permission admin_ci_minutes = owner + permission create_build_terminal = developer + maintainer + owner + permission read_builds = reporter + developer + maintainer + owner + permission read_user_achievement = guest + reporter + developer + maintainer + owner + permission destroy_user_achievement = owner + permission read_abuse_report = owner + permission read_emoji = guest + reporter + developer + maintainer + owner + permission read_dependency_list_export = developer + maintainer + owner + permission create_workspace = developer + maintainer + owner + permission read_workspace = developer + maintainer + owner + permission update_workspace = developer + maintainer + owner + permission read_workspace_variable = developer + maintainer + owner + permission read_workspaces_agent_config = developer + maintainer + owner + permission access_workspaces_feature = developer + maintainer + owner + permission modify_value_stream_dashboard_settings = owner + permission read_achievement = guest + reporter + developer + maintainer + owner + permission award_achievement = owner + permission admin_achievement = owner + permission read_all_workspaces = owner + permission read_crm_contact = reporter + developer + maintainer + owner + permission read_crm_contacts = reporter + developer + maintainer + owner + permission set_issue_crm_contacts = reporter + developer + maintainer + owner + permission admin_crm_contact = reporter + developer + maintainer + owner + permission read_crm_organization = reporter + developer + maintainer + owner + permission admin_crm_organization = reporter + developer + maintainer + owner + permission read_custom_field = guest + reporter + developer + maintainer + owner + permission admin_custom_field = owner + permission read_confidential_epic = reporter + developer + maintainer + owner + permission read_epic_iid = guest + reporter + developer + maintainer + owner + permission read_epic_relation = guest + reporter + developer + maintainer + owner + permission read_epic_link_relation = guest + reporter + developer + maintainer + owner + permission admin_epic_relation = developer + maintainer + owner + permission admin_epic_link_relation = developer + maintainer + owner + permission admin_epic_tree_relation = developer + maintainer + owner + permission read_duo_workflow_event = developer + maintainer + owner + permission read_geo_node = owner + permission read_geo_registry = owner + permission read_all_geo = owner + permission read_virtual_registry = guest + reporter + developer + maintainer + owner + permission read_application_statistics = owner + permission read_instance_metadata = owner + permission read_cloud_connector_status = owner + permission read_usage_trends_measurement = owner + permission read_billable_member = owner + permission read_billing = owner + permission edit_billing = owner + permission start_trial = owner + permission read_licensed_seat = owner + permission admin_licensed_seat = owner + permission read_member_role = guest + reporter + developer + maintainer + owner + permission admin_member_role = owner + permission view_member_roles = guest + reporter + developer + maintainer + owner + permission link = guest + reporter + developer + maintainer + owner + permission unlink = guest + reporter + developer + maintainer + owner + permission sign_in_with_saml_provider = guest + reporter + developer + maintainer + owner + permission read_saml_user = owner + permission read_group_saml_identity = owner + permission log_in = guest + reporter + developer + maintainer + owner + permission accept_terms = guest + reporter + developer + maintainer + owner + permission decline_terms = guest + reporter + developer + maintainer + owner + permission access_admin_area = owner + permission access_api = guest + reporter + developer + maintainer + owner + permission access_git = guest + reporter + developer + maintainer + owner + permission access_x_ray_on_instance = owner + permission access_advanced_vulnerability_management = developer + maintainer + owner + permission access_code_suggestions = developer + maintainer + owner + permission access_glab_ask_git_command = developer + maintainer + owner + permission execute_graphql_mutation = guest + reporter + developer + maintainer + owner + permission receive_notifications = guest + reporter + developer + maintainer + owner + permission approve_user = owner + permission reject_user = owner + permission block_pipl_user = owner + permission delete_pipl_user = owner + permission view_instance_devops_adoption = owner + permission manage_devops_adoption_namespaces = owner + permission read_admin_role = owner + permission create_admin_role = owner + permission update_admin_role = owner + permission delete_admin_role = owner + permission destroy_licenses = owner + permission export_user_permissions = owner + permission manage_subscription = owner + permission manage_duo_core_settings = owner + permission read_duo_core_settings = owner + permission manage_self_hosted_models_settings = owner + permission read_self_hosted_models_settings = owner + permission manage_ldap_admin_links = owner + permission read_runner_upgrade_status = owner + permission read_custom_attribute = owner + permission update_custom_attribute = owner + permission read_users_list = owner + permission read_admin_users = owner + permission read_admin_subscription = owner + permission read_admin_system_information = owner + permission read_admin_health_check = owner + permission read_admin_background_jobs = owner + permission read_admin_background_migrations = owner + permission read_admin_cicd = owner + permission read_admin_gitaly_servers = owner + permission read_admin_metrics_dashboard = owner + permission create_instance_runner = owner + permission update_max_pages_size = owner + permission delete_merge_train_car = maintainer + owner + permission provision_cloud_runner = owner + permission provision_gke_runner = owner + permission list_subgroup_epics = reporter + developer + maintainer + owner + permission get_user_associations_count = guest + reporter + developer + maintainer + owner + permission make_profile_private = guest + reporter + developer + maintainer + owner + permission disable_two_factor = owner + permission delete_conversation_thread = owner + permission audit_event_definitions = owner + permission delete_tag = maintainer + owner + permission update_deploy_token = maintainer + owner + permission update_deploy_key = maintainer + owner + permission update_deploy_key_title = maintainer + owner + permission update_deploy_keys_project = maintainer + owner + permission create_virtual_registry = owner + permission update_virtual_registry = owner + permission destroy_virtual_registry = owner + permission admin_dependency_proxy_packages_settings = owner + permission execute_duo_workflow_in_ci = developer + maintainer + owner + permission link_forked_project = developer + maintainer + owner + permission access_x_ray_on_instance = owner + permission read_runner_manager = owner + permission read_ephemeral_token = owner + permission rotate_token = owner + permission revoke_token = owner + permission read_token = owner + permission read_user_personal_access_tokens = owner + permission create_user_personal_access_token = owner + permission admin_user_email_address = owner + permission read_user_email_address = owner + permission read_user_groups = guest + reporter + developer + maintainer + owner + permission read_user_membership_counts = guest + reporter + developer + maintainer + owner + permission read_user_organizations = guest + reporter + developer + maintainer + owner + permission read_user_preference = guest + reporter + developer + maintainer + owner + permission read_user_profile = guest + reporter + developer + maintainer + owner + permission update_name = guest + reporter + developer + maintainer + owner + permission update_user = owner + permission update_user_status = guest + reporter + developer + maintainer + owner + permission destroy_user = owner + permission update_user_achievement = owner + permission update_owned_user_achievement = owner + permission read_usage = owner + permission view_type_of_work_charts = reporter + developer + maintainer + owner + permission admin_import_source_user = owner + permission create_group_with_default_branch_protection = owner + permission create_group_via_api = owner + permission update_escalation_status = developer + maintainer + owner + permission view_package_registry_project_settings = reporter + developer + maintainer + owner + permission admin_group_model_selection = owner + permission edit_on_demand_dast_scan = developer + maintainer + owner + permission edit_billing = owner + permission edit_group_approval_rule = owner + permission edit_approval_rule = maintainer + owner + permission admin_software_license_policy = maintainer + owner + permission read_software_license_policy = reporter + developer + maintainer + owner + permission bulk_admin_epic = owner } -definition group { +definition user { + relation organization_member: organization + relation organization_owner: organization + + permission admin_user = user + organization_owner + permission create_user_personal_access_token = user + permission manage_user_personal_access_token = user + permission read_user = user + organization_member + organization_owner + + // Additional user permissions + permission read_user_profile = user + permission read_user_preference = user + permission read_user_email_address = user + permission admin_user_email_address = user + organization_owner + permission read_user_groups = user + permission read_user_organizations = user + permission read_user_membership_counts = user + permission read_user_personal_access_tokens = user + permission update_user = user + permission update_user_status = user + permission update_name = user + permission destroy_user = user + organization_owner + permission disable_two_factor = user + organization_owner + permission make_profile_private = user + permission get_user_associations_count = user + permission create_saved_replies = user + permission read_saved_replies = user + permission update_saved_replies = user + permission destroy_saved_replies = user + permission create_snippet = user + permission read_user_achievement = user + permission update_user_achievement = user + organization_owner + permission update_owned_user_achievement = user + permission destroy_user_achievement = user + organization_owner + permission receive_notifications = user + permission log_in = user + permission access_api = user + permission access_git = user + permission execute_graphql_mutation = user + permission use_quick_actions = user + permission use_slash_commands = user + permission request_access = user + permission export_user_permissions = organization_owner +} + +// Wiki resource +definition wiki_page { + relation project: project + relation group: group + relation author: user + + permission read_wiki_page = project->read_wiki + group->read_wiki + permission create_note = project->create_note + group->create_note + permission read_note = project->read_note + group->read_note + permission update_subscription = project->guest_access + group->guest_access +} + +// Snippet resource +definition snippet { + relation project: project + relation author: user + relation namespace: user + + permission read_snippet = author + project->read_snippet + permission admin_snippet = author + project->admin_snippet + permission update_snippet = author + project->update_snippet + permission cache_blob = author + project->guest_access + permission create_note = author + project->create_note + permission read_note = project->read_note + permission award_emoji = project->guest_access } -definition resource { - relation reader: user | user:* - relation writer: user | user:* +// Milestone resource +definition milestone { + relation project: project + relation group: group + + permission read_milestone = project->read_milestone + group->read_milestone + permission admin_milestone = project->admin_milestone + group->admin_milestone + permission read_resource_milestone_event = project->read_resource_milestone_event + group->read_resource_milestone_event +} + +// Label resource +definition label { + relation project: project + relation group: group + + permission read_label = project->read_label + group->read_label + permission admin_label = project->admin_label + group->admin_label + permission read_resource_label_event = project->read_resource_label_event + group->read_resource_label_event +} + +// Tag resource +definition tag { + relation project: project + relation creator: user + + permission delete_tag = project->delete_tag + permission admin_tag = project->admin_tag +} + +// Branch resource +definition branch { + relation project: project + + permission create_branch_rule = project->create_branch_rule + permission read_branch_rule = project->read_branch_rule + permission update_branch_rule = project->update_branch_rule + permission destroy_branch_rule = project->destroy_branch_rule +} + +// Protected branch resource +definition protected_branch { + relation project: project + + permission create_protected_branch = project->create_protected_branch + permission read_protected_branch = project->read_protected_branch + permission update_protected_branch = project->update_protected_branch + permission destroy_protected_branch = project->destroy_protected_branch + permission admin_protected_branch = project->admin_protected_branch +} + +// Protected tag resource +definition protected_tag { + relation project: project + + permission create_protected_tags = project->create_protected_tags + permission read_protected_tags = project->read_protected_tags + permission update_protected_tags = project->update_protected_tags + permission destroy_protected_tags = project->destroy_protected_tags + permission manage_protected_tags = project->manage_protected_tags +} + +// Pipeline schedule resource +definition pipeline_schedule { + relation project: project + relation owner: user + + permission read_pipeline_schedule = project->read_pipeline_schedule + permission update_pipeline_schedule = owner + project->update_pipeline_schedule + permission admin_pipeline_schedule = project->admin_pipeline_schedule + permission play_pipeline_schedule = owner + project->play_pipeline_schedule + permission take_ownership_pipeline_schedule = project->take_ownership_pipeline_schedule + permission read_pipeline_schedule_variables = project->read_pipeline_schedule_variables +} - permission read = reader + writer - permission create = writer - permission update = writer - permission delete = writer +// Feature flag resource +definition feature_flag { + relation project: project + + permission create_feature_flag = project->create_feature_flag + permission read_feature_flag = project->read_feature_flag + permission update_feature_flag = project->update_feature_flag + permission admin_feature_flag = project->admin_feature_flag + permission destroy_feature_flag = project->destroy_feature_flag + permission admin_feature_flags_client = project->admin_feature_flags_client + permission admin_feature_flags_user_lists = project->admin_feature_flags_user_lists + permission admin_feature_flags_issue_links = project->admin_feature_flags_issue_links } + +// Alert management resource +definition alert { + relation project: project + + permission read_alert_management_alert = project->read_alert_management_alert + permission update_alert_management_alert = project->update_alert_management_alert + permission read_alert_management_metric_image = project->read_alert_management_metric_image + permission update_alert_management_metric_image = project->update_alert_management_metric_image + permission upload_alert_management_metric_image = project->upload_alert_management_metric_image + permission destroy_alert_management_metric_image = project->destroy_alert_management_metric_image +} + +// Incident management resource +definition incident { + relation project: project + + permission read_incident_management_timeline_event = project->read_incident_management_timeline_event + permission admin_incident_management_timeline_event = project->admin_incident_management_timeline_event + permission edit_incident_management_timeline_event = project->edit_incident_management_timeline_event + permission read_incident_management_timeline_event_tag = project->read_incident_management_timeline_event_tag + permission admin_incident_management_timeline_event_tag = project->admin_incident_management_timeline_event_tag + permission read_incident_management_escalation_policy = project->read_incident_management_escalation_policy + permission admin_incident_management_escalation_policy = project->admin_incident_management_escalation_policy + permission read_incident_management_oncall_schedule = project->read_incident_management_oncall_schedule + permission admin_incident_management_oncall_schedule = project->admin_incident_management_oncall_schedule + permission update_escalation_status = project->update_escalation_status +} + +// On-demand DAST scan resource +definition on_demand_dast_scan { + relation project: project + + permission create_on_demand_dast_scan = project->create_on_demand_dast_scan + permission read_on_demand_dast_scan = project->read_on_demand_dast_scan + permission edit_on_demand_dast_scan = project->edit_on_demand_dast_scan +} + +// Requirement resource +definition requirement { + relation project: project + + permission create_requirement = project->create_requirement + permission read_requirement = project->read_requirement + permission update_requirement = project->update_requirement + permission admin_requirement = project->admin_requirement + permission destroy_requirement = project->destroy_requirement +} + +// Build resource +definition build { + relation project: project + relation pipeline: pipeline + relation user: user + + permission read_build = project->read_build + permission read_build_trace = project->read_build_trace + permission read_build_metadata = project->read_build_metadata + permission read_job_artifacts = project->read_job_artifacts + permission update_build = project->update_build + permission cancel_build = user + project->cancel_build + permission erase_build = project->erase_build + permission play_job = project->play_job + permission create_build_terminal = project->create_build_terminal + permission read_web_ide_terminal = project->read_web_ide_terminal + permission update_web_ide_terminal = project->update_web_ide_terminal + permission create_build_service_proxy = project->create_build_service_proxy + permission update_commit_status = project->update_commit_status +} + +// CI job resource (enhanced) +definition ci_job { + relation pipeline: pipeline + relation project: project + relation runner: runner + + permission create_build = project->create_pipeline + permission download_code = project->download_code + permission read_build = project->read_build + permission read_container_image = project->read_container_image + permission read_project = project->read_project + permission read_ci_minutes_limited_summary = project->read_ci_minutes_limited_summary + permission jailbreak = project->jailbreak +} + +// Pipeline resource (enhanced) +definition pipeline { + relation author: user + relation ci_job_token: ci_job + relation project: project + + permission admin_pipeline = project->admin_pipeline + permission cancel_pipeline = project->developer + author + permission read_pipeline = project->read_project + permission update_pipeline = project->developer + author + ci_job_token + permission destroy_pipeline = project->destroy_pipeline + permission read_pipeline_metadata = project->read_pipeline_metadata + permission read_pipeline_variable = project->read_pipeline_variable +} + +// Runner resource (enhanced) +definition runner { + relation group: group + relation instance: organization + relation organization: organization + relation project: project + + permission admin_runner = project->admin_runner + group->admin_runner + organization->admin_organization + permission assign_runner = project->maintainer + group->maintainer + organization->admin + permission read_runner = project->read_project + group->read + organization->read + permission update_runner = project->admin_runner + group->admin_runner + organization->admin + permission delete_runner = project->admin_runner + group->admin_runner + organization->admin + permission read_builds = project->read_build + group->developer + organization->admin + permission read_ephemeral_token = project->admin_runner + group->admin_runner + organization->admin +} + +// Issue resource (enhanced) +definition issue { + relation assignee: user + relation author: user + relation epic: epic + relation project: project + + permission admin_issue = project->admin_issue + permission create_issue = project->create_issue + permission promote_to_epic = project->reporter + permission read_issue = project->read_project + permission set_confidentiality = project->reporter + permission update_issue = project->admin_issue + author + assignee + permission reopen_issue = project->reopen_issue + permission destroy_issue = project->destroy_issue + permission clone_issue = project->clone_issue + permission move_issue = project->move_issue + permission set_issue_metadata = project->set_issue_metadata + permission set_issue_crm_contacts = project->set_issue_crm_contacts + permission set_issue_iid = project->set_issue_iid + permission set_issue_created_at = project->set_issue_created_at + permission set_issue_updated_at = project->set_issue_updated_at + permission admin_issue_link = project->admin_issue_link + permission read_issue_link = project->read_issue_link + permission admin_issue_relation = project->admin_issue_relation + permission create_note = project->create_note + permission read_note = project->read_note + permission admin_note = project->admin_note + permission award_emoji = project->award_emoji + permission create_todo = project->create_todo + permission mark_note_as_internal = project->mark_note_as_internal + permission read_crm_contacts = project->read_crm_contacts + permission update_subscription = project->update_subscription +} + +// Merge request resource (enhanced) +definition merge_request { + relation assignee: user + relation author: user + relation project: project + relation reviewer: user + + permission accept_merge_request = project->accept_merge_request + permission admin_merge_request = project->developer + author + permission approve_merge_request = project->approve_merge_request + reviewer + permission create_merge_request_from = project->create_merge_request_from + permission read_merge_request = project->read_project + permission update_merge_request = project->update_merge_request + permission destroy_merge_request = project->destroy_merge_request + permission reopen_merge_request = project->reopen_merge_request + permission set_merge_request_metadata = project->set_merge_request_metadata + permission create_merge_request_approval_rules = project->create_merge_request_approval_rules + permission update_approvers = project->update_approvers + permission reset_merge_request_approvals = project->reset_merge_request_approvals + permission create_todo = project->create_todo + permission mark_note_as_internal = project->mark_note_as_internal + permission update_subscription = project->update_subscription + permission access_generate_commit_message = project->access_generate_commit_message + permission access_summarize_review = project->access_summarize_review + permission provide_status_check_response = project->provide_status_check_response + permission read_external_status_check_response = project->read_external_status_check_response + permission retry_failed_status_checks = project->retry_failed_status_checks +} + +// Epic resource (enhanced) +definition epic { + relation assignee: user + relation author: user + relation group: group + + permission admin_epic = group->admin_epic + author + permission create_epic = group->reporter + permission read_epic = group->read + permission update_epic = group->admin_epic + author + assignee + permission destroy_epic = group->owner + permission set_epic_metadata = group->reporter + permission set_epic_created_at = group->owner + permission set_epic_updated_at = group->owner + permission set_confidentiality = group->reporter + permission admin_epic_relation = group->developer + permission admin_epic_link_relation = group->developer + permission admin_epic_tree_relation = group->developer + permission create_epic_tree_relation = group->developer + permission read_epic_iid = group->read + permission read_epic_relation = group->read + permission read_epic_link_relation = group->read + permission create_note = group->create_note + permission read_note = group->read_note + permission admin_note = group->admin_note + permission award_emoji = group->award_emoji + permission create_todo = group->create_todo + permission mark_note_as_internal = group->mark_note_as_internal + permission measure_comment_temperature = group->measure_comment_temperature + permission read_issuable = group->read + permission read_issuable_participables = group->read + permission resolve_note = group->developer + permission summarize_comments = group->summarize_comments +} + +// Work item resource (enhanced) +definition work_item { + relation assignee: user + relation author: user + relation project: project + + permission admin_work_item = project->admin_issue + permission create_work_item = project->create_issue + permission read_work_item = project->read_project + permission update_work_item = project->admin_issue + author + assignee + permission delete_work_item = project->owner + permission clone_work_item = project->clone_work_item + permission move_work_item = project->move_work_item + permission set_work_item_metadata = project->set_work_item_metadata + permission admin_work_item_link = project->admin_work_item_link + permission admin_parent_link = project->admin_parent_link + permission report_spam = project->report_spam +} + +// Vulnerability resource (enhanced) +definition vulnerability { + relation author: user + relation finding: finding + relation project: project + + permission admin_vulnerability = project->admin_vulnerability + permission create_vulnerability_feedback = project->create_vulnerability_feedback + permission read_vulnerability = project->read_vulnerability + permission read_vulnerability_representation_information = project->read_vulnerability_representation_information + permission create_external_issue_link = project->create_external_issue_link +} + +// Finding resource (enhanced) +definition finding { + relation project: project + relation scanner: scanner + + permission admin_finding = project->admin_vulnerability + permission read_finding = project->read_vulnerability + permission read_finding_token_status = project->read_finding_token_status +} + +// Container repository resource (enhanced) +definition container_repository { + relation group: group + relation project: project + + permission admin_container_image = project->admin_container_image + permission destroy_container_image = project->admin_container_image + permission read_container_image = project->read_container_image + group->read_container_image + permission create_container_image = project->create_container_image + permission update_container_image = project->update_container_image + permission destroy_container_image_tag = project->destroy_container_image_tag +} + +// Package resource (enhanced) +definition package { + relation group: group + relation project: project + + permission admin_package = project->admin_package + group->admin_package + permission create_package = project->developer + permission destroy_package = project->admin_package + permission read_package = project->read_package + group->read_package + permission read_package_within_public_registries = project->read_package_within_public_registries + group->read_package_within_public_registries +} + +// Environment resource (enhanced) +definition environment { + relation deployment: deployment + relation project: project + + permission admin_environment = project->maintainer + permission read_environment = project->read_project + permission stop_environment = project->developer + permission create_environment = project->create_environment + permission update_environment = project->update_environment + permission destroy_environment = project->destroy_environment + permission create_environment_terminal = project->create_environment_terminal +} + +// Deployment resource (enhanced) +definition deployment { + relation author: user + relation environment: environment + relation project: project + + permission admin_deployment = project->maintainer + permission approve_deployment = project->maintainer + permission read_deployment = project->read_project + permission create_deployment = project->create_deployment + permission update_deployment = project->update_deployment + permission destroy_deployment = project->destroy_deployment + permission read_pages_deployments = project->read_pages_deployments + permission update_pages_deployments = project->update_pages_deployments +} + +// Member role resource (enhanced) +definition member_role { + relation group: group + relation organization: organization + + permission admin_member_role = group->owner + organization->admin + permission read_member_role = group->read + organization->read + permission delete_admin_role = organization->admin + permission read_admin_role = organization->admin + permission update_admin_role = organization->admin +} + +// Compliance framework resource (enhanced) +definition compliance_framework { + relation group: group + relation organization: organization + + permission admin_compliance_framework = group->admin_compliance_framework + organization->admin_compliance_framework + permission read_compliance_framework = group->read + organization->read + permission admin_compliance_pipeline_configuration = group->admin_compliance_pipeline_configuration +} + +// Audit event resource (enhanced) +definition audit_event { + relation group: group + relation project: project + relation organization: organization + + permission admin_external_audit_events = group->owner + organization->admin_external_audit_events + permission read_audit_event = group->owner + project->owner + organization->admin + permission read_admin_audit_log = organization->admin + permission admin_instance_external_audit_events = organization->admin + permission audit_event_definitions = organization->admin +} + +// Deploy token resource (enhanced) +definition deploy_token { + relation project: project + relation group: group + + permission read_registry = project->read_container_image + group->read_container_image + permission read_repository = project->read_code + group->read_code + permission write_registry = project->developer + group->developer + permission create_deploy_token = project->create_deploy_token + group->create_deploy_token + permission update_deploy_token = project->update_deploy_token + group->manage_deploy_tokens +} + +// Personal access token resource (enhanced) +definition personal_access_token { + relation user: user + relation organization: organization + + permission admin_token = user->user + organization->admin + permission use_token = user->user + organization->member + permission read_token = user->user + permission revoke_token = user->user + organization->admin + permission rotate_token = user->user +} + +// Scanner resource (enhanced) +definition scanner { + relation project: project + relation group: group + + permission admin_scanner = project->admin_vulnerability + group->admin_vulnerability + permission read_scanner = project->read_project + group->read + permission read_scan = project->read_scan +} + +// Note resource +definition note { + relation project: project + relation group: group + relation author: user + relation noteable_issue: issue + relation noteable_merge_request: merge_request + relation noteable_epic: epic + + permission read_note = project->read_note + group->read_note + author + permission admin_note = project->admin_note + group->admin_note + author + permission update_note = author + project->admin_note + group->admin_note + permission resolve_note = project->resolve_note + group->resolve_note + permission reposition_note = project->reposition_note + group->reposition_note + permission mark_note_as_internal = project->mark_note_as_internal + group->mark_note_as_internal + permission award_emoji = project->award_emoji + group->award_emoji +} + +// Todo resource +definition todo { + relation user: user + relation project: project + relation group: group + + permission read_todo = user + permission update_todo = user +} + +// Timelog resource +definition timelog { + relation project: project + relation group: group + relation user: user + + permission admin_timelog = project->admin_timelog + group->admin_timelog + permission create_timelog = project->create_timelog + group->create_timelog +} + +// Custom emoji resource +definition custom_emoji { + relation group: group + relation creator: user + + permission read_custom_emoji = group->read_custom_emoji + permission delete_custom_emoji = group->delete_custom_emoji + creator +} + +// Saved reply resource +definition saved_reply { + relation user: user + relation project: project + relation group: group + + permission create_saved_replies = user + project->create_saved_replies + group->create_saved_replies + permission read_saved_replies = user + project->read_saved_replies + group->read_saved_replies + permission update_saved_replies = user + project->update_saved_replies + group->update_saved_replies + permission destroy_saved_replies = user + project->destroy_saved_replies + group->destroy_saved_replies +} + +// Achievement resource +definition achievement { + relation namespace: group + relation user: user + + permission read_achievement = namespace->read_achievement + permission admin_achievement = namespace->admin_achievement + permission award_achievement = namespace->award_achievement + permission read_user_achievement = user + permission update_user_achievement = namespace->admin_achievement + permission update_owned_user_achievement = user + permission destroy_user_achievement = namespace->admin_achievement +} + +// Virtual registry resource +definition virtual_registry { + relation group: group + + permission read_virtual_registry = group->read_virtual_registry + permission create_virtual_registry = group->create_virtual_registry + permission update_virtual_registry = group->update_virtual_registry + permission destroy_virtual_registry = group->destroy_virtual_registry +} + +// Workspace resource +definition workspace { + relation project: project + relation user: user + + permission create_workspace = project->create_workspace + permission read_workspace = project->read_workspace + user + permission update_workspace = project->update_workspace + user + permission read_workspace_variable = project->read_workspace_variable + permission read_workspaces_agent_config = project->read_workspaces_agent_config + permission access_workspaces_feature = project->access_workspaces_feature + permission read_all_workspaces = project->owner +} + +// CRM contact resource +definition crm_contact { + relation group: group + + permission read_crm_contact = group->read_crm_contact + permission admin_crm_contact = group->admin_crm_contact +} + +// CRM organization resource +definition crm_organization { + relation group: group + + permission read_crm_organization = group->read_crm_organization + permission admin_crm_organization = group->admin_crm_organization +} + +// Custom field resource +definition custom_field { + relation project: project + relation group: group + + permission read_custom_field = project->read_custom_field + group->read_custom_field + permission admin_custom_field = project->admin_custom_field + group->admin_custom_field +} + +// Duo workflow resource +definition duo_workflow { + relation group: group + relation project: project + + permission admin_duo_workflow = group->admin_duo_workflow + permission read_duo_workflow = group->read_duo_workflow + project->duo_workflow + permission update_duo_workflow = group->update_duo_workflow + permission destroy_duo_workflow = group->destroy_duo_workflow + permission execute_duo_workflow_in_ci = group->execute_duo_workflow_in_ci + project->execute_duo_workflow_in_ci + permission read_duo_workflow_event = group->read_duo_workflow_event + project->read_duo_workflow_event +} + +// Group stage resource +definition group_stage { + relation group: group + + permission create_group_stage = group->create_group_stage + permission read_group_stage = group->read_group_stage + permission update_group_stage = group->update_group_stage + permission delete_group_stage = group->delete_group_stage +} + +// Resource access token resource +definition resource_access_token { + relation project: project + relation group: group + + permission read_resource_access_tokens = project->read_resource_access_tokens + group->read_resource_access_tokens + permission create_resource_access_tokens = project->create_resource_access_tokens + group->create_resource_access_tokens + permission destroy_resource_access_tokens = project->destroy_resource_access_tokens + group->destroy_resource_access_tokens + permission manage_resource_access_tokens = project->manage_resource_access_tokens + group->manage_resource_access_tokens +} + +// Cluster resource +definition cluster { + relation project: project + relation group: group + relation instance: organization + + permission read_cluster = project->read_cluster + group->read_cluster + instance->read + permission add_cluster = project->add_cluster + group->add_cluster + instance->admin + permission create_cluster = project->create_cluster + group->create_cluster + instance->admin + permission update_cluster = project->update_cluster + group->update_cluster + instance->admin + permission admin_cluster = project->admin_cluster + group->admin_cluster + instance->admin + permission read_cluster_environments = project->read_cluster_environments + group->read_cluster_environments + instance->read + permission use_k = project->use_k + group->use_k + instance->admin +} + +// Cluster agent resource +definition cluster_agent { + relation project: project + relation group: group + relation organization: organization + + permission read_cluster_agent = project->read_cluster_agent + group->read_cluster_agent + organization->read_organization_cluster_agent_mapping + permission admin_namespace_cluster_agent_mapping = group->admin_namespace_cluster_agent_mapping + permission admin_organization_cluster_agent_mapping = organization->admin_organization_cluster_agent_mapping + permission read_namespace_cluster_agent_mapping = group->read_namespace_cluster_agent_mapping + permission read_organization_cluster_agent_mapping = organization->read_organization_cluster_agent_mapping +} + +// Service account resource +definition service_account { + relation organization: organization + relation group: group + + permission admin_service_accounts = organization->admin_service_accounts + group->admin_service_accounts + permission create_service_account = organization->create_service_account + group->create_service_account + permission delete_service_account = organization->delete_service_account + group->delete_service_account + permission admin_service_account_member = group->admin_service_account_member +} + +// Import source user resource +definition source_user { + relation namespace: group + + permission admin_import_source_user = namespace->owner +} + +// Admin role resource +definition admin_role { + relation organization: organization + + permission read_admin_role = organization->admin + permission create_admin_role = organization->admin + permission update_admin_role = organization->admin + permission delete_admin_role = organization->admin +} + +// Terms resource +definition term { + relation user: user + + permission accept_terms = user + permission decline_terms = user +} + +// SAML provider resource +definition saml_provider { + relation group: group + + permission sign_in_with_saml_provider = group->guest_access + permission admin_group_saml = group->admin_group_saml + permission read_group_saml_identity = group->read_group_saml_identity + permission admin_saml_group_links = group->admin_saml_group_links + permission read_saml_user = group->read_saml_user +} + +// Thread resource (for conversations) +definition thread { + relation user: user + + permission delete_conversation_thread = user +} + +// Global resource for instance-wide permissions +definition global { + relation admin: user + relation user: user + + permission access_admin_area = admin + permission access_api = user + permission access_git = user + permission access_code_suggestions = user + permission access_duo_chat = user + permission access_duo_core_features = user + permission access_glab_ask_git_command = user + permission access_workspaces_feature = user + permission access_x_ray_on_instance = admin + permission admin_instance_external_audit_events = admin + permission admin_member_role = admin + permission admin_service_accounts = admin + permission admin_web_hook = admin + permission approve_user = admin + permission create_admin_role = admin + permission create_group = user + permission create_group_via_api = user + permission create_group_with_default_branch_protection = admin + permission create_instance_runner = admin + permission create_organization = admin + permission create_snippet = user + permission destroy_licenses = admin + permission execute_graphql_mutation = user + permission export_user_permissions = admin + permission log_in = user + permission manage_devops_adoption_namespaces = admin + permission manage_duo_core_settings = admin + permission manage_ldap_admin_links = admin + permission manage_self_hosted_models_settings = admin + permission manage_subscription = admin + permission read_admin_audit_log = admin + permission read_admin_background_jobs = admin + permission read_admin_background_migrations = admin + permission read_admin_cicd = admin + permission read_admin_gitaly_servers = admin + permission read_admin_health_check = admin + permission read_admin_metrics_dashboard = admin + permission read_admin_role = admin + permission read_admin_subscription = admin + permission read_admin_system_information = admin + permission read_admin_users = admin + permission read_all_geo = admin + permission read_all_workspaces = admin + permission read_application_statistics = admin + permission read_billable_member = admin + permission read_cloud_connector_status = admin + permission read_custom_attribute = admin + permission read_instance_metadata = admin + permission read_jobs_statistics = admin + permission read_licenses = admin + permission read_member_role = admin + permission read_operations_dashboard = admin + permission read_runner_upgrade_status = admin + permission read_runner_usage = admin + permission read_usage_trends_measurement = admin + permission read_users_list = admin + permission read_web_hook = admin + permission receive_notifications = user + permission reject_user = admin + permission update_custom_attribute = admin + permission update_max_pages_size = admin + permission use_project_statistics_filters = user + permission use_quick_actions = user + permission use_slash_commands = user + permission view_instance_devops_adoption = admin + permission view_member_roles = user + permission view_productivity_analytics = user + permission read_duo_core_settings = admin + permission read_self_hosted_models_settings = admin +}
\ No newline at end of file |