summaryrefslogtreecommitdiff
path: root/etc/authzd/spice.schema
diff options
context:
space:
mode:
Diffstat (limited to 'etc/authzd/spice.schema')
-rw-r--r--etc/authzd/spice.schema2124
1 files changed, 2111 insertions, 13 deletions
diff --git a/etc/authzd/spice.schema b/etc/authzd/spice.schema
index 0f3494f7..24d8c050 100644
--- a/etc/authzd/spice.schema
+++ b/etc/authzd/spice.schema
@@ -1,27 +1,2125 @@
-definition user {}
+// Comprehensive GitLab SpiceDB Schema
+// Based on systematic analysis of 798 GitLab permissions from 487+ policy files
+// Includes all permissions from app/policies and ee/app/policies
+// Full support for CI_JOB_TOKEN permissions and Custom Roles
-definition project {
+definition organization {
+ relation admin: user
+ relation member: user
+ relation owner: user
+
+ // Core permissions
+ permission read = member + admin + owner
+ permission admin_organization = admin + owner
+ permission create_group = member + admin + owner
+ permission admin_compliance_framework = admin + owner
+ permission admin_external_audit_events = admin + owner
+
+ // Additional organization permissions
+ permission create_organization = admin + owner
+ permission admin_instance_external_audit_events = admin + owner
+ permission read_organization = member + admin + owner
+ permission read_all_organization_resources = admin + owner
+ permission admin_service_accounts = admin + owner
+ permission create_service_account = admin + owner
+ permission delete_service_account = admin + owner
+ permission admin_organization_cluster_agent_mapping = admin + owner
+ permission read_organization_cluster_agent_mapping = member + admin + owner
+ permission read_organization_user = member + admin + owner
+ permission update_organization_user = admin + owner
+ permission remove_user = admin + owner
+ permission delete_user = admin + owner
+ permission admin_add_on_purchase = admin + owner
+ permission manage_destroy = admin + owner
+}
+
+definition group {
+ relation developer: user
+ relation group_bot: user
relation guest: user
+ relation maintainer: user
+ relation organization: organization
+ relation owner: user
+ relation parent_group: group
relation planner: user
relation reporter: user
+ relation service_account: user
+
+ // Core access permissions
+ permission read = guest + reporter + developer + maintainer + owner + organization->member + parent_group->read
+ permission read_group = guest + reporter + developer + maintainer + owner + organization->member + parent_group->read
+ permission guest_access = guest + reporter + developer + maintainer + owner
+ permission reporter_access = reporter + developer + maintainer + owner
+ permission developer_access = developer + maintainer + owner
+ permission maintainer_access = maintainer + owner
+ permission owner_access = owner
+ permission planner_access = planner + reporter + developer + maintainer + owner
+ permission project_bot_access = group_bot
+
+ // Administrative permissions
+ permission admin_group = owner + organization->admin_organization
+ permission admin_group_member = maintainer + owner
+ permission admin_compliance_framework = owner + organization->admin_compliance_framework
+ permission admin_epic = reporter + developer + maintainer + owner
+ permission admin_cicd_variables = maintainer + owner
+ permission admin_runner = owner
+ permission admin_vulnerability = developer + maintainer + owner
+ permission archive_group = owner
+ permission remove_group = owner
+ permission change_visibility_level = owner
+
+ // Wiki permissions
+ permission create_wiki = developer + maintainer + owner
+ permission admin_wiki = maintainer + owner
+ permission read_wiki = guest + reporter + developer + maintainer + owner
+ permission download_wiki_code = reporter + developer + maintainer + owner
+
+ // Milestone and iteration permissions
+ permission admin_milestone = reporter + developer + maintainer + owner
+ permission read_milestone = guest + reporter + developer + maintainer + owner
+ permission create_milestone = reporter + developer + maintainer + owner
+ permission admin_iteration = reporter + developer + maintainer + owner
+ permission read_iteration = guest + reporter + developer + maintainer + owner
+ permission create_iteration = developer + maintainer + owner
+ permission admin_iteration_cadence = developer + maintainer + owner
+ permission read_iteration_cadence = guest + reporter + developer + maintainer + owner
+ permission create_iteration_cadence = developer + maintainer + owner
+
+ // Label permissions
+ permission admin_label = reporter + developer + maintainer + owner
+ permission read_label = guest + reporter + developer + maintainer + owner
+ permission read_group_labels = guest + reporter + developer + maintainer + owner
+
+ // Issue board permissions
+ permission admin_issue_board = reporter + developer + maintainer + owner
+ permission read_issue_board = guest + reporter + developer + maintainer + owner
+ permission admin_issue_board_list = reporter + developer + maintainer + owner
+ permission read_issue_board_list = guest + reporter + developer + maintainer + owner
+
+ // Epic board permissions (EE)
+ permission admin_epic_board = reporter + developer + maintainer + owner
+ permission read_epic_board = guest + reporter + developer + maintainer + owner
+ permission admin_epic_board_list = reporter + developer + maintainer + owner
+ permission read_epic_board_list = guest + reporter + developer + maintainer + owner
+
+ // Package and container permissions
+ permission admin_package = maintainer + owner
+ permission read_package = guest + reporter + developer + maintainer + owner
+ permission create_package = developer + maintainer + owner
+ permission destroy_package = maintainer + owner
+ permission read_container_image = guest + reporter + developer + maintainer + owner
+
+ // Security permissions
+ permission read_security_dashboard = reporter + developer + maintainer + owner
+ permission read_group_security_dashboard = reporter + developer + maintainer + owner
+ permission access_security_and_compliance = developer + maintainer + owner
+ permission admin_vulnerability = developer + maintainer + owner
+ permission read_vulnerability = reporter + developer + maintainer + owner
+ permission resolve_vulnerability_with_ai = developer + maintainer + owner
+
+ // Analytics permissions
+ permission read_group_analytics_dashboards = reporter + developer + maintainer + owner
+ permission view_productivity_analytics = reporter + developer + maintainer + owner
+ permission read_group_activity_analytics = reporter + developer + maintainer + owner
+ permission read_group_contribution_analytics = reporter + developer + maintainer + owner
+ permission read_group_repository_analytics = reporter + developer + maintainer + owner
+ permission view_group_devops_adoption = reporter + developer + maintainer + owner
+ permission view_group_ci_cd_analytics = reporter + developer + maintainer + owner
+ permission read_ci_cd_analytics = reporter + developer + maintainer + owner
+ permission read_group_build_report_results = reporter + developer + maintainer + owner
+ permission read_group_coverage_reports = reporter + developer + maintainer + owner
+
+ // Compliance permissions
+ permission read_compliance_dashboard = reporter + developer + maintainer + owner
+ permission admin_compliance_pipeline_configuration = owner
+ permission read_compliance_adherence_report = developer + maintainer + owner
+ permission read_compliance_violations_report = developer + maintainer + owner
+ permission read_group_audit_events = owner
+
+ // Member management
+ permission admin_member_access_request = maintainer + owner
+ permission read_member_access_request = guest + reporter + developer + maintainer + owner
+ permission invite_group_members = maintainer + owner
+ permission override_group_member = owner
+ permission activate_group_member = maintainer + owner
+ permission ban_group_member = owner
+ permission destroy_group_member = owner
+ permission update_group_member = maintainer + owner
+
+ // Service account permissions
+ permission admin_service_account_member = owner
+ permission create_service_account = owner
+ permission delete_service_account = owner
+
+ // Runner permissions
+ permission register_group_runners = maintainer + owner
+ permission admin_group_or_admin_runner = owner
+ permission read_group_runners = reporter + developer + maintainer + owner
+ permission read_group_all_available_runners = reporter + developer + maintainer + owner
+
+ // CRM permissions (EE)
+ permission admin_crm_contact = reporter + developer + maintainer + owner
+ permission read_crm_contact = guest + reporter + developer + maintainer + owner
+ permission admin_crm_organization = reporter + developer + maintainer + owner
+ permission read_crm_organization = guest + reporter + developer + maintainer + owner
+
+ // Custom field permissions (EE)
+ permission admin_custom_field = owner
+ permission read_custom_field = guest + reporter + developer + maintainer + owner
+
+ // Deploy token permissions
+ permission create_deploy_token = maintainer + owner
+ permission read_deploy_token = maintainer + owner
+ permission destroy_deploy_token = maintainer + owner
+ permission manage_deploy_tokens = maintainer + owner
+ permission update_group_deploy_key = maintainer + owner
+ permission update_group_deploy_key_for_group = maintainer + owner
+
+ // Dependency proxy permissions
+ permission admin_dependency_proxy = owner
+ permission read_dependency_proxy = guest + reporter + developer + maintainer + owner
+
+ // AI/Duo permissions
+ permission access_duo_features = developer + maintainer + owner
+ permission access_duo_chat = developer + maintainer + owner
+ permission access_ai_review_mr = developer + maintainer + owner
+ permission admin_duo_workflow = owner
+ permission read_duo_workflow = developer + maintainer + owner
+ permission update_duo_workflow = maintainer + owner
+ permission destroy_duo_workflow = owner
+ permission execute_duo_workflow_in_ci = developer + maintainer + owner
+
+ // Group settings permissions
+ permission change_share_with_group_lock = owner
+ permission change_prevent_sharing_groups_outside_hierarchy = owner
+ permission change_prevent_group_forking = owner
+ permission set_emails_disabled = owner
+ permission set_show_diff_preview_in_email = owner
+ permission change_new_user_signups_cap = owner
+ permission change_seat_control = owner
+
+ // Additional permissions
+ permission create_projects = maintainer + owner
+ permission transfer_projects = owner
+ permission import_projects = owner
+ permission admin_namespace = owner
+ permission read_namespace = guest + reporter + developer + maintainer + owner
+ permission admin_namespace_cluster_agent_mapping = owner
+ permission read_namespace_cluster_agent_mapping = guest + reporter + developer + maintainer + owner
+ permission create_subgroup = owner
+ permission list_subgroup_epics = reporter + developer + maintainer + owner
+ permission admin_integrations = owner
+ permission read_group_member = guest + reporter + developer + maintainer + owner
+ permission read_group_metadata = guest + reporter + developer + maintainer + owner
+ permission read_group_activity = guest + reporter + developer + maintainer + owner
+ permission read_group_issues = guest + reporter + developer + maintainer + owner
+ permission read_group_merge_requests = guest + reporter + developer + maintainer + owner
+ permission read_group_milestones = guest + reporter + developer + maintainer + owner
+ permission read_group_boards = guest + reporter + developer + maintainer + owner
+ permission read_group_release_stats = reporter + developer + maintainer + owner
+ permission read_group_credentials_inventory = owner
+ permission admin_group_credentials_inventory = owner
+ permission create_custom_emoji = developer + maintainer + owner
+ permission read_custom_emoji = guest + reporter + developer + maintainer + owner
+ permission delete_custom_emoji = owner
+ permission upload_file = guest + reporter + developer + maintainer + owner
+ permission read_upload = guest + reporter + developer + maintainer + owner
+ permission destroy_upload = maintainer + owner
+ permission admin_upload = owner
+ permission create_group_stage = owner
+ permission read_group_stage = guest + reporter + developer + maintainer + owner
+ permission update_group_stage = owner
+ permission delete_group_stage = owner
+ permission admin_ldap_group_links = owner
+ permission admin_saml_group_links = owner
+ permission admin_group_saml = owner
+ permission read_group_saml_identity = owner
+ permission create_jira_connect_subscription = owner
+ permission read_billable_member = owner
+ permission read_billing = owner
+ permission edit_billing = owner
+ permission start_trial = owner
+ permission admin_licensed_seat = owner
+ permission update_subscription_limit = owner
+ permission read_usage_quotas = owner
+ permission admin_push_rules = owner
+ permission change_push_rules = owner
+ permission change_commit_committer_check = owner
+ permission change_commit_committer_name_check = owner
+ permission change_reject_unsigned_commits = owner
+ permission change_reject_non_dco_commits = owner
+ permission enable_secret_push_protection = owner
+ permission read_saml_user = owner
+ permission read_limit_alert = owner
+ permission read_licenses = owner
+ permission read_dependency = guest + reporter + developer + maintainer + owner
+ permission read_lifecycle = reporter + developer + maintainer + owner
+ permission read_counts = reporter + developer + maintainer + owner
+ permission manage_merge_request_settings = owner
+ permission update_approval_rule = owner
+ permission export_group_memberships = owner
+ permission rollover_issues = owner
+ permission admin_achievement = owner
+ permission read_achievement = guest + reporter + developer + maintainer + owner
+ permission award_achievement = owner
+ permission read_insights = reporter + developer + maintainer + owner
+ permission read_resource_access_tokens = maintainer + owner
+ permission create_resource_access_tokens = owner
+ permission destroy_resource_access_tokens = owner
+ permission manage_resource_access_tokens = owner
+ permission admin_setting_to_allow_resource_access_token_creation = owner
+ permission read_member_role = guest + reporter + developer + maintainer + owner
+ permission admin_member_role = owner
+ permission view_member_roles = guest + reporter + developer + maintainer + owner
+ permission generate_description = developer + maintainer + owner
+ permission read_virtual_registry = guest + reporter + developer + maintainer + owner
+ permission create_virtual_registry = owner
+ permission update_virtual_registry = owner
+ permission destroy_virtual_registry = owner
+ permission create_saved_replies = developer + maintainer + owner
+ permission read_saved_replies = guest + reporter + developer + maintainer + owner
+ permission update_saved_replies = developer + maintainer + owner
+ permission destroy_saved_replies = developer + maintainer + owner
+ permission admin_value_stream = owner
+ permission modify_value_stream_dashboard_settings = owner
+ permission read_internal_note = reporter + developer + maintainer + owner
+ permission read_note = guest + reporter + developer + maintainer + owner
+ permission create_note = guest + reporter + developer + maintainer + owner
+ permission admin_note = maintainer + owner
+ permission mark_note_as_internal = reporter + developer + maintainer + owner
+ permission award_emoji = guest + reporter + developer + maintainer + owner
+ permission admin_web_hook = owner
+ permission read_web_hook = maintainer + owner
+ permission manage_devops_adoption_namespaces = owner
+ permission provision_cloud_runner = owner
+ permission provision_gke_runner = owner
+ permission read_runner_cloud_provisioning_info = owner
+ permission read_runner_gke_provisioning_info = owner
+ permission use_k = developer + maintainer + owner
+ permission view_type_of_work_charts = reporter + developer + maintainer + owner
+ permission view_edit_page = developer + maintainer + owner
+ permission view_globally = guest + reporter + developer + maintainer + owner
+ permission summarize_comments = developer + maintainer + owner
+ permission set_note_created_at = owner
+ permission set_issue_created_at = owner
+ permission set_issue_updated_at = owner
+ permission set_epic_created_at = owner
+ permission set_epic_updated_at = owner
+ permission set_show_default_award_emojis = owner
+ permission set_warn_about_potentially_unwanted_characters = owner
+ permission measure_comment_temperature = developer + maintainer + owner
+ permission read_product_analytics = reporter + developer + maintainer + owner
+ permission modify_product_analytics_settings = owner
+ permission read_harbor_registry = reporter + developer + maintainer + owner
+ permission read_cluster = reporter + developer + maintainer + owner
+ permission admin_cluster = owner
+ permission create_cluster = owner
+ permission update_cluster = owner
+ permission add_cluster = owner
+ permission read_cluster_agent = reporter + developer + maintainer + owner
+ permission read_cluster_environments = reporter + developer + maintainer + owner
+ permission read_prometheus = reporter + developer + maintainer + owner
+ permission read_grafana = reporter + developer + maintainer + owner
+ permission admin_protected_environments = owner
+ permission export_work_items = reporter + developer + maintainer + owner
+ permission import_work_items = developer + maintainer + owner
+ permission admin_work_item = reporter + developer + maintainer + owner
+ permission read_work_item = guest + reporter + developer + maintainer + owner
+ permission create_work_item = guest + reporter + developer + maintainer + owner
+ permission update_work_item = reporter + developer + maintainer + owner
+ permission admin_issue = reporter + developer + maintainer + owner
+ permission read_issue = guest + reporter + developer + maintainer + owner
+ permission create_issue = guest + reporter + developer + maintainer + owner
+ permission update_issue = reporter + developer + maintainer + owner
+ permission destroy_issue = owner
+ permission reopen_issue = reporter + developer + maintainer + owner
+ permission create_task = guest + reporter + developer + maintainer + owner
+ permission create_key_result = developer + maintainer + owner
+ permission create_objective = developer + maintainer + owner
+ permission set_issue_metadata = reporter + developer + maintainer + owner
+ permission set_work_item_metadata = reporter + developer + maintainer + owner
+ permission clone_issue = reporter + developer + maintainer + owner
+ permission clone_work_item = reporter + developer + maintainer + owner
+ permission move_issue = reporter + developer + maintainer + owner
+ permission move_work_item = reporter + developer + maintainer + owner
+ permission admin_merge_request = developer + maintainer + owner
+ permission update_merge_request = developer + maintainer + owner
+ permission create_epic_tree_relation = developer + maintainer + owner
+ permission admin_epic_relation = developer + maintainer + owner
+ permission admin_epic_link_relation = developer + maintainer + owner
+ permission admin_epic_tree_relation = developer + maintainer + owner
+ permission bulk_admin_epic = owner
+ permission read_epic_iid = guest + reporter + developer + maintainer + owner
+ permission read_epic_relation = guest + reporter + developer + maintainer + owner
+ permission read_epic_link_relation = guest + reporter + developer + maintainer + owner
+ permission set_epic_metadata = reporter + developer + maintainer + owner
+ permission set_confidentiality = reporter + developer + maintainer + owner
+ permission create_timelog = reporter + developer + maintainer + owner
+ permission admin_timelog = owner
+ permission read_timelog_category = guest + reporter + developer + maintainer + owner
+ permission read_issuable = guest + reporter + developer + maintainer + owner
+ permission read_issuable_participables = guest + reporter + developer + maintainer + owner
+ permission create_todo = guest + reporter + developer + maintainer + owner
+ permission update_todo = guest + reporter + developer + maintainer + owner
+ permission read_todo = guest + reporter + developer + maintainer + owner
+ permission update_subscription = guest + reporter + developer + maintainer + owner
+ permission reopen_merge_request = developer + maintainer + owner
+ permission resolve_note = developer + maintainer + owner
+ permission reposition_note = developer + maintainer + owner
+ permission request_access = guest
+ permission withdraw_member_access_request = guest + reporter + developer + maintainer + owner
+ permission read_shared_with_group = guest + reporter + developer + maintainer + owner
+ permission update_default_branch_protection = owner
+ permission update_git_access_protocol = owner
+ permission update_max_artifacts_size = owner
+ permission read_statistics = reporter + developer + maintainer + owner
+ permission read_cycle_analytics = reporter + developer + maintainer + owner
+ permission read_design_activity = reporter + developer + maintainer + owner
+ permission read_namespace_via_membership = guest + reporter + developer + maintainer + owner
+ permission read_nested_project_resources = guest + reporter + developer + maintainer + owner
+ permission read_namespace_catalog = guest + reporter + developer + maintainer + owner
+ permission read_dora = reporter + developer + maintainer + owner
+ permission read_enterprise_ai_analytics = reporter + developer + maintainer + owner
+ permission read_pro_ai_analytics = reporter + developer + maintainer + owner
+ permission read_security_inventory = developer + maintainer + owner
+ permission read_security_configuration = developer + maintainer + owner
+ permission read_security_orchestration_policies = developer + maintainer + owner
+ permission read_security_orchestration_policy_project = developer + maintainer + owner
+ permission update_security_orchestration_policy_project = owner
+ permission modify_security_policy = owner
+ permission admin_security_testing = owner
+ permission enable_continuous_vulnerability_scans = owner
+ permission configure_secret_detection_validity_checks = owner
+ permission read_secret_detection_validity_checks_status = developer + maintainer + owner
+ permission read_secret_push_protection_info = developer + maintainer + owner
+ permission admin_merge_request_approval_settings = owner
+ permission modify_approvers_rules = owner
+ permission modify_merge_request_author_setting = owner
+ permission modify_merge_request_committer_setting = owner
+ permission edit_group_approval_rule = owner
+ permission read_group_approval_rule = reporter + developer + maintainer + owner
+ permission create_vulnerability_export = developer + maintainer + owner
+ permission read_vulnerability_export = developer + maintainer + owner
+ permission read_vulnerability_statistics = reporter + developer + maintainer + owner
+ permission read_jobs_statistics = reporter + developer + maintainer + owner
+ permission read_runner_usage = owner
+ permission read_runners_registration_token = owner
+ permission update_runners_registration_token = owner
+ permission read_package_within_public_registries = guest + reporter + developer + maintainer + owner
+ permission read_code = guest + reporter + developer + maintainer + owner
+ permission read_resource_state_event = guest + reporter + developer + maintainer + owner
+ permission read_resource_weight_event = guest + reporter + developer + maintainer + owner
+ permission read_resource_iteration_event = guest + reporter + developer + maintainer + owner
+ permission read_resource_milestone_event = guest + reporter + developer + maintainer + owner
+ permission read_resource_label_event = guest + reporter + developer + maintainer + owner
+ permission admin_group_model_selection = owner
+ permission read_event = guest + reporter + developer + maintainer + owner
+ permission use_quick_actions = guest + reporter + developer + maintainer + owner
+ permission use_slash_commands = guest + reporter + developer + maintainer + owner
+ permission receive_notifications = guest + reporter + developer + maintainer + owner
+}
+
+definition project {
+ relation ci_job_token: ci_job
+ relation deploy_token: deploy_token
relation developer: user
+ relation group: group
+ relation guest: user
+ relation internal_access: user
relation maintainer: user
+ relation namespace: user
relation owner: user
- relation admin: user
+ relation planner: user
+ relation project_bot: user
+ relation public_access: user:*
+ relation reporter: user
+
+ // Core access permissions
+ permission read_project = guest + reporter + developer + maintainer + owner + group->read + namespace->read + public_access + internal_access
+ permission guest_access = guest + reporter + developer + maintainer + owner
+ permission reporter_access = reporter + developer + maintainer + owner
+ permission developer_access = developer + maintainer + owner
+ permission maintainer_access = maintainer + owner
+ permission owner_access = owner
+ permission planner_access = planner + reporter + developer + maintainer + owner
+ permission public_access = public_access
+ permission public_user_access = public_access + internal_access
+ permission project_bot_access = project_bot
+ permission build_read_project = ci_job_token
+ permission read_project_for_iids = guest + reporter + developer + maintainer + owner + group->read
+
+ // Administrative permissions
+ permission admin_project = owner + group->admin_group
+ permission archive_project = owner
+ permission remove_project = owner + group->admin_group
+ permission change_visibility_level = owner + group->admin_group
+ permission change_namespace = owner
+ permission rename_project = maintainer + owner
+ permission set_emails_disabled = owner
+ permission set_show_diff_preview_in_email = owner
+ permission set_show_default_award_emojis = owner
+ permission set_warn_about_potentially_unwanted_characters = owner
+ permission manage_owners = owner
+
+ // Code and repository permissions
+ permission read_code = guest + reporter + developer + maintainer + owner + ci_job_token + deploy_token + group->read
+ permission download_code = guest + reporter + developer + maintainer + owner + ci_job_token + deploy_token
+ permission build_download_code = guest + ci_job_token
+ permission download_code_spp_repository = developer + maintainer + owner
+ permission push_code = developer + maintainer + owner
+ permission build_push_code = ci_job_token
+ permission push_code_to_protected_branches = maintainer + owner
+ permission push_to_delete_protected_branch = maintainer + owner
+ permission fork_project = reporter + developer + maintainer + owner
+ permission link_forked_project = developer + maintainer + owner
+ permission remove_fork_project = owner
+
+ // Wiki permissions
+ permission create_wiki = developer + maintainer + owner
+ permission admin_wiki = maintainer + owner
+ permission read_wiki = guest + reporter + developer + maintainer + owner
+ permission read_wiki_page = guest + reporter + developer + maintainer + owner
+ permission download_wiki_code = reporter + developer + maintainer + owner
+
+ // Snippet permissions
+ permission create_snippet = developer + maintainer + owner
+ permission admin_snippet = maintainer + owner
+ permission read_snippet = guest + reporter + developer + maintainer + owner
+ permission update_snippet = maintainer + owner
+
+ // Milestone permissions
+ permission admin_milestone = reporter + developer + maintainer + owner
+ permission read_milestone = guest + reporter + developer + maintainer + owner
+ permission read_resource_milestone_event = guest + reporter + developer + maintainer + owner
+
+ // Label permissions
+ permission admin_label = reporter + developer + maintainer + owner
+ permission read_label = guest + reporter + developer + maintainer + owner
+ permission read_resource_label_event = guest + reporter + developer + maintainer + owner
+
+ // Branch and tag permissions
+ permission admin_tag = maintainer + owner
+ permission delete_tag = maintainer + owner
+ permission create_branch_rule = maintainer + owner
+ permission read_branch_rule = guest + reporter + developer + maintainer + owner
+ permission update_branch_rule = maintainer + owner
+ permission destroy_branch_rule = owner
+ permission admin_protected_branch = maintainer + owner
+ permission create_protected_branch = maintainer + owner
+ permission read_protected_branch = guest + reporter + developer + maintainer + owner
+ permission update_protected_branch = maintainer + owner
+ permission destroy_protected_branch = owner
+ permission create_protected_tags = maintainer + owner
+ permission read_protected_tags = guest + reporter + developer + maintainer + owner
+ permission update_protected_tags = maintainer + owner
+ permission destroy_protected_tags = owner
+ permission manage_protected_tags = maintainer + owner
+ permission admin_target_branch_rule = owner
+ permission read_target_branch_rule = guest + reporter + developer + maintainer + owner
+ permission update_squash_option = developer + maintainer + owner
+ permission create_squash_option = developer + maintainer + owner
+ permission read_squash_option = guest + reporter + developer + maintainer + owner
+ permission destroy_squash_option = owner
+
+ // CI/CD permissions
+ permission read_build = reporter + developer + maintainer + owner + ci_job_token
+ permission create_build = developer + maintainer + owner
+ permission update_build = developer + maintainer + owner
+ permission cancel_build = developer + maintainer + owner
+ permission erase_build = maintainer + owner
+ permission play_job = developer + maintainer + owner
+ permission read_job_artifacts = reporter + developer + maintainer + owner + ci_job_token
+ permission destroy_artifacts = maintainer + owner
+ permission admin_build = maintainer + owner
+ permission create_pipeline = developer + maintainer + owner + ci_job_token
+ permission create_bot_pipeline = developer + maintainer + owner
+ permission read_pipeline = guest + reporter + developer + maintainer + owner
+ permission update_pipeline = developer + maintainer + owner
+ permission cancel_pipeline = developer + maintainer + owner
+ permission destroy_pipeline = owner
+ permission admin_pipeline = maintainer + owner
+ permission read_pipeline_variable = developer + maintainer + owner
+ permission set_pipeline_variables = developer + maintainer + owner
+ permission read_pipeline_metadata = reporter + developer + maintainer + owner
+ permission admin_cicd_variables = maintainer + owner + group->admin_cicd_variables
+ permission change_restrict_user_defined_variables = owner
+
+ // Pipeline schedule permissions
+ permission create_pipeline_schedule = developer + maintainer + owner
+ permission read_pipeline_schedule = reporter + developer + maintainer + owner
+ permission update_pipeline_schedule = developer + maintainer + owner
+ permission admin_pipeline_schedule = maintainer + owner
+ permission play_pipeline_schedule = developer + maintainer + owner
+ permission take_ownership_pipeline_schedule = developer + maintainer + owner
+ permission read_pipeline_schedule_variables = developer + maintainer + owner
+ permission read_ci_pipeline_schedules_plan_limit = reporter + developer + maintainer + owner
+
+ // Commit status permissions
+ permission create_commit_status = developer + maintainer + owner
+ permission read_commit_status = reporter + developer + maintainer + owner
+ permission update_commit_status = developer + maintainer + owner
+ permission admin_commit_status = maintainer + owner
+
+ // Issue permissions
+ permission create_issue = guest + reporter + developer + maintainer + owner
+ permission read_issue = guest + reporter + developer + maintainer + owner
+ permission update_issue = reporter + developer + maintainer + owner
+ permission admin_issue = reporter + developer + maintainer + owner
+ permission destroy_issue = owner
+ permission reopen_issue = reporter + developer + maintainer + owner
+ permission set_issue_iid = owner
+ permission set_issue_created_at = owner
+ permission set_issue_updated_at = owner
+ permission set_issue_metadata = reporter + developer + maintainer + owner
+ permission set_issue_crm_contacts = reporter + developer + maintainer + owner
+ permission set_confidentiality = reporter + developer + maintainer + owner
+ permission read_issue_iid = guest + reporter + developer + maintainer + owner
+ permission create_incident = reporter + developer + maintainer + owner
+ permission import_issues = developer + maintainer + owner
+ permission export_work_items = reporter + developer + maintainer + owner
+ permission import_work_items = developer + maintainer + owner
+ permission clone_issue = reporter + developer + maintainer + owner
+ permission move_issue = reporter + developer + maintainer + owner
+ permission promote_to_epic = reporter + developer + maintainer + owner
+ permission read_confidential_issues = reporter + developer + maintainer + owner
+ permission mark_issue_for_publication = maintainer + owner
+
+ // Work item permissions
+ permission create_work_item = guest + reporter + developer + maintainer + owner
+ permission read_work_item = guest + reporter + developer + maintainer + owner
+ permission update_work_item = reporter + developer + maintainer + owner
+ permission admin_work_item = reporter + developer + maintainer + owner
+ permission delete_work_item = owner
+ permission clone_work_item = reporter + developer + maintainer + owner
+ permission move_work_item = reporter + developer + maintainer + owner
+ permission set_work_item_metadata = reporter + developer + maintainer + owner
+ permission admin_work_item_link = maintainer + owner
+ permission admin_parent_link = maintainer + owner
+ permission read_work_item_type = guest + reporter + developer + maintainer + owner
+ permission read_work_item_status = guest + reporter + developer + maintainer + owner
+ permission create_task = guest + reporter + developer + maintainer + owner
+ permission create_key_result = developer + maintainer + owner
+ permission create_objective = developer + maintainer + owner
+
+ // Issue board permissions
+ permission admin_issue_board = reporter + developer + maintainer + owner
+ permission read_issue_board = guest + reporter + developer + maintainer + owner
+ permission admin_issue_board_list = reporter + developer + maintainer + owner
+ permission read_issue_board_list = guest + reporter + developer + maintainer + owner
+ permission create_non_backlog_issues = reporter + developer + maintainer + owner
+
+ // Issue link permissions
+ permission admin_issue_link = reporter + developer + maintainer + owner
+ permission read_issue_link = guest + reporter + developer + maintainer + owner
+ permission admin_issue_relation = reporter + developer + maintainer + owner
+ permission create_external_issue_link = developer + maintainer + owner
+
+ // Merge request permissions
+ permission create_merge_request_from = developer + maintainer + owner
+ permission create_merge_request_in = developer + maintainer + owner
+ permission read_merge_request = guest + reporter + developer + maintainer + owner
+ permission update_merge_request = developer + maintainer + owner
+ permission admin_merge_request = developer + maintainer + owner
+ permission accept_merge_request = maintainer + owner
+ permission approve_merge_request = developer + maintainer + owner
+ permission destroy_merge_request = owner
+ permission reopen_merge_request = developer + maintainer + owner
+ permission read_merge_request_iid = guest + reporter + developer + maintainer + owner
+ permission set_merge_request_metadata = developer + maintainer + owner
+ permission create_merge_request_approval_rules = maintainer + owner
+ permission update_approvers = maintainer + owner
+ permission admin_merge_request_approval_settings = owner
+ permission reset_merge_request_approvals = maintainer + owner
+ permission modify_approvers_rules = owner
+ permission modify_merge_request_author_setting = owner
+ permission modify_merge_request_committer_setting = owner
+ permission manage_merge_request_settings = owner
+ permission read_approval_rule = reporter + developer + maintainer + owner
+ permission update_approval_rule = maintainer + owner
+ permission edit_approval_rule = maintainer + owner
+ permission read_approvers = reporter + developer + maintainer + owner
+ permission read_merge_request_closing_issue = guest + reporter + developer + maintainer + owner
+ permission read_merge_train = reporter + developer + maintainer + owner
+ permission read_merge_train_car = reporter + developer + maintainer + owner
+ permission delete_merge_train_car = maintainer + owner
+
+ // Design permissions
+ permission create_design = reporter + developer + maintainer + owner
+ permission read_design = guest + reporter + developer + maintainer + owner
+ permission update_design = developer + maintainer + owner
+ permission destroy_design = developer + maintainer + owner
+ permission move_design = developer + maintainer + owner
+ permission read_design_activity = guest + reporter + developer + maintainer + owner
+
+ // Container and package permissions
+ permission read_container_image = reporter + developer + maintainer + owner + ci_job_token
+ permission create_container_image = developer + maintainer + owner
+ permission update_container_image = developer + maintainer + owner
+ permission admin_container_image = maintainer + owner
+ permission destroy_container_image = maintainer + owner
+ permission destroy_container_image_tag = maintainer + owner
+ permission build_read_container_image = guest + ci_job_token
+ permission create_container_registry_protection_immutable_tag_rule = owner
+ permission destroy_container_registry_protection_tag_rule = developer + maintainer + owner
+ permission enable_container_scanning_for_registry = owner
+ permission read_package = reporter + developer + maintainer + owner
+ permission create_package = developer + maintainer + owner
+ permission destroy_package = maintainer + owner
+ permission admin_package = maintainer + owner
+ permission read_package_within_public_registries = guest + reporter + developer + maintainer + owner
+ permission view_package_registry_project_settings = reporter + developer + maintainer + owner
+
+ // Deploy token permissions
+ permission create_deploy_token = maintainer + owner
+ permission read_deploy_token = maintainer + owner
+ permission destroy_deploy_token = maintainer + owner
+ permission update_deploy_token = maintainer + owner
+ permission manage_deploy_tokens = maintainer + owner
+
+ // Environment and deployment permissions
+ permission create_environment = developer + maintainer + owner
+ permission read_environment = reporter + developer + maintainer + owner
+ permission update_environment = developer + maintainer + owner
+ permission admin_environment = maintainer + owner
+ permission destroy_environment = developer + maintainer + owner
+ permission stop_environment = developer + maintainer + owner
+ permission create_environment_terminal = maintainer + owner
+ permission create_deployment = developer + maintainer + owner
+ permission read_deployment = reporter + developer + maintainer + owner
+ permission update_deployment = developer + maintainer + owner
+ permission admin_deployment = maintainer + owner
+ permission destroy_deployment = maintainer + owner
+ permission approve_deployment = maintainer + owner
+ permission admin_protected_environments = owner
+ permission read_freeze_period = reporter + developer + maintainer + owner
+ permission create_freeze_period = maintainer + owner
+ permission update_freeze_period = maintainer + owner
+ permission destroy_freeze_period = maintainer + owner
+
+ // Feature flag permissions
+ permission create_feature_flag = developer + maintainer + owner
+ permission read_feature_flag = reporter + developer + maintainer + owner
+ permission update_feature_flag = developer + maintainer + owner
+ permission admin_feature_flag = maintainer + owner
+ permission destroy_feature_flag = developer + maintainer + owner
+ permission admin_feature_flags_client = maintainer + owner
+ permission admin_feature_flags_user_lists = maintainer + owner
+ permission admin_feature_flags_issue_links = maintainer + owner
- permission read = developer + maintainer
- permission write = maintainer
+ // Security and vulnerability permissions
+ permission read_vulnerability = reporter + developer + maintainer + owner
+ permission admin_vulnerability = developer + maintainer + owner + group->admin_vulnerability
+ permission create_vulnerability_feedback = developer + maintainer + owner
+ permission read_vulnerability_feedback = reporter + developer + maintainer + owner
+ permission update_vulnerability_feedback = developer + maintainer + owner
+ permission destroy_vulnerability_feedback = developer + maintainer + owner
+ permission read_vulnerability_scanner = reporter + developer + maintainer + owner
+ permission read_vulnerability_merge_request_link = reporter + developer + maintainer + owner
+ permission admin_vulnerability_merge_request_link = developer + maintainer + owner
+ permission admin_vulnerability_issue_link = developer + maintainer + owner
+ permission admin_vulnerability_external_issue_link = developer + maintainer + owner
+ permission create_vulnerability_export = developer + maintainer + owner
+ permission read_vulnerability_export = developer + maintainer + owner
+ permission create_vulnerability_archive_export = developer + maintainer + owner
+ permission read_vulnerability_archive_export = developer + maintainer + owner
+ permission create_vulnerability_state_transition = developer + maintainer + owner
+ permission read_vulnerability_representation_information = reporter + developer + maintainer + owner
+ permission resolve_vulnerability_with_ai = developer + maintainer + owner
+ permission read_vulnerability_statistics = reporter + developer + maintainer + owner
+
+ // Security scanning permissions
+ permission access_security_and_compliance = developer + maintainer + owner
+ permission access_security_scans_api = developer + maintainer + owner
+ permission read_security_dashboard = reporter + developer + maintainer + owner
+ permission read_project_security_dashboard = reporter + developer + maintainer + owner
+ permission add_project_to_instance_security_dashboard = owner
+ permission read_instance_security_dashboard = owner
+ permission read_security_configuration = developer + maintainer + owner
+ permission read_security_orchestration_policies = developer + maintainer + owner
+ permission read_security_orchestration_policy_project = developer + maintainer + owner
+ permission update_security_orchestration_policy_project = owner
+ permission modify_security_policy = owner
+ permission admin_security_testing = owner
+ permission manage_security_settings = owner
+ permission read_security_settings = reporter + developer + maintainer + owner
+ permission read_security_inventory = developer + maintainer + owner
+ permission read_security_resource = developer + maintainer + owner
+ permission read_project_security_exclusions = developer + maintainer + owner
+ permission manage_project_security_exclusions = owner
+ permission enable_continuous_vulnerability_scans = owner
+ permission configure_secret_detection_validity_checks = owner
+ permission read_secret_detection_validity_checks_status = developer + maintainer + owner
+ permission read_secret_push_protection_info = developer + maintainer + owner
+ permission enable_secret_push_protection = owner
+ permission read_coverage_fuzzing = developer + maintainer + owner
+ permission create_coverage_fuzzing_corpus = developer + maintainer + owner
+
+ // Release permissions
+ permission create_release = developer + maintainer + owner
+ permission read_release = guest + reporter + developer + maintainer + owner
+ permission update_release = developer + maintainer + owner
+ permission destroy_release = maintainer + owner
+ permission read_release_evidence = guest + reporter + developer + maintainer + owner
+
+ // Runner permissions
+ permission admin_runner = owner + group->admin_runner
+ permission read_runner = reporter + developer + maintainer + owner
+ permission update_runner = owner
+ permission delete_runner = owner
+ permission assign_runner = maintainer + owner
+ permission create_runner = maintainer + owner
+ permission register_project_runners = maintainer + owner
+ permission admin_project_runners = maintainer + owner
+ permission read_project_runners = reporter + developer + maintainer + owner
+ permission read_runners_registration_token = maintainer + owner
+ permission update_runners_registration_token = maintainer + owner
+ permission read_runner_usage = owner
+ permission read_runner_cloud_provisioning_info = owner
+ permission read_runner_gke_provisioning_info = owner
+ permission provision_cloud_runner = owner
+ permission provision_gke_runner = owner
+
+ // Pages permissions
+ permission admin_pages = maintainer + owner
+ permission read_pages = maintainer + owner
+ permission update_pages = maintainer + owner
+ permission remove_pages = maintainer + owner
+ permission read_pages_content = guest + reporter + developer + maintainer + owner
+ permission read_pages_deployments = reporter + developer + maintainer + owner
+ permission update_pages_deployments = maintainer + owner
+ permission pages_multiple_versions = maintainer + owner
+
+ // Terraform state permissions
+ permission read_terraform_state = developer + maintainer + owner
+ permission admin_terraform_state = maintainer + owner
+
+ // Analytics permissions
+ permission read_analytics = reporter + developer + maintainer + owner
+ permission read_insights = reporter + developer + maintainer + owner
+ permission read_ci_cd_analytics = reporter + developer + maintainer + owner
+ permission read_code_review_analytics = reporter + developer + maintainer + owner
+ permission read_issue_analytics = reporter + developer + maintainer + owner
+ permission read_project_merge_request_analytics = reporter + developer + maintainer + owner
+ permission read_combined_project_analytics_dashboards = reporter + developer + maintainer + owner
+ permission read_project_level_value_stream_dashboard_overview_counts = reporter + developer + maintainer + owner
+ permission view_productivity_analytics = reporter + developer + maintainer + owner
+ permission read_cycle_analytics = reporter + developer + maintainer + owner
+ permission read_repository_graphs = reporter + developer + maintainer + owner
+ permission read_statistics = reporter + developer + maintainer + owner
+ permission daily_statistics = reporter + developer + maintainer + owner
+ permission read_build_report_results = reporter + developer + maintainer + owner
+ permission use_project_statistics_filters = reporter + developer + maintainer + owner
+ permission admin_value_stream = owner
+
+ // AI/Duo permissions
+ permission access_duo_features = developer + maintainer + owner + group->access_duo_features
+ permission access_duo_chat = developer + maintainer + owner
+ permission access_ai_review_mr = developer + maintainer + owner
+ permission access_duo_agentic_chat = developer + maintainer + owner
+ permission access_duo_core_features = developer + maintainer + owner
+ permission access_description_composer = developer + maintainer + owner
+ permission access_summarize_new_merge_request = developer + maintainer + owner
+ permission access_summarize_review = developer + maintainer + owner
+ permission access_generate_commit_message = developer + maintainer + owner
+ permission duo_workflow = developer + maintainer + owner
+ permission trigger_amazon_q = developer + maintainer + owner
+ permission generate_description = developer + maintainer + owner
+ permission generate_cube_query = developer + maintainer + owner
+ permission read_ai_agents = reporter + developer + maintainer + owner
+ permission write_ai_agents = developer + maintainer + owner
+
+ // Model registry permissions (ML)
+ permission read_model_experiments = reporter + developer + maintainer + owner
+ permission write_model_experiments = developer + maintainer + owner
+ permission read_model_registry = reporter + developer + maintainer + owner
+ permission write_model_registry = developer + maintainer + owner
+
+ // Observability permissions
+ permission read_observability = reporter + developer + maintainer + owner
+ permission write_observability = developer + maintainer + owner
+
+ // Compliance permissions
+ permission admin_compliance_framework = owner + group->admin_compliance_framework
+ permission read_compliance_framework = reporter + developer + maintainer + owner
+ permission read_compliance_dashboard = reporter + developer + maintainer + owner
+ permission read_compliance_adherence_report = developer + maintainer + owner
+ permission read_compliance_violations_report = developer + maintainer + owner
+ permission read_project_audit_events = owner
+
+ // Member and access permissions
+ permission admin_project_member = maintainer + owner
+ permission read_project_member = guest + reporter + developer + maintainer + owner
+ permission update_project_member = maintainer + owner
+ permission destroy_project_member = owner
+ permission destroy_project_bot_member = owner
+ permission invite_member = maintainer + owner
+ permission invite_project_members = maintainer + owner
+ permission import_project_members_from_another_project = maintainer + owner
+ permission admin_member_access_request = maintainer + owner
+ permission read_member_access_request = guest + reporter + developer + maintainer + owner
+ permission withdraw_member_access_request = guest + reporter + developer + maintainer + owner
+ permission override_group_member = owner
+ permission destroy_group_member = owner
+ permission destroy_project_group_link = owner
+ permission manage_group_link_with_owner_access = owner
+ permission read_shared_with_group = guest + reporter + developer + maintainer + owner
+
+ // Note and comment permissions
+ permission create_note = guest + reporter + developer + maintainer + owner
+ permission read_note = guest + reporter + developer + maintainer + owner
+ permission update_note = guest + reporter + developer + maintainer + owner
+ permission admin_note = maintainer + owner
+ permission resolve_note = developer + maintainer + owner
+ permission reposition_note = developer + maintainer + owner
+ permission mark_note_as_internal = reporter + developer + maintainer + owner
+ permission set_note_created_at = owner
+ permission read_internal_note = reporter + developer + maintainer + owner
+ permission award_emoji = guest + reporter + developer + maintainer + owner
+ permission summarize_comments = developer + maintainer + owner
+ permission measure_comment_temperature = developer + maintainer + owner
+
+ // Webhook permissions
+ permission admin_web_hook = owner
+ permission read_web_hook = maintainer + owner
+
+ // Upload permissions
+ permission upload_file = guest + reporter + developer + maintainer + owner
+ permission read_upload = guest + reporter + developer + maintainer + owner
+ permission destroy_upload = maintainer + owner
+ permission admin_upload = owner
+
+ // Project settings permissions
+ permission admin_project_aws = owner
+ permission admin_project_google_cloud = owner
+ permission admin_project_secrets_manager = owner
+ permission admin_google_cloud_artifact_registry = owner
+ permission read_google_cloud_artifact_registry = reporter + developer + maintainer + owner
+ permission update_max_artifacts_size = owner
+ permission set_pipeline_variables = developer + maintainer + owner
+ permission change_commit_committer_check = owner
+ permission change_commit_committer_name_check = owner
+ permission read_commit_committer_check = reporter + developer + maintainer + owner
+ permission read_commit_committer_name_check = reporter + developer + maintainer + owner
+ permission change_push_rules = owner
+ permission admin_push_rules = owner
+ permission change_reject_unsigned_commits = owner
+ permission change_reject_non_dco_commits = owner
+ permission read_reject_unsigned_commits = reporter + developer + maintainer + owner
+ permission read_reject_non_dco_commits = reporter + developer + maintainer + owner
+
+ // Integration permissions
+ permission admin_integrations = maintainer + owner
+ permission create_jira_connect_subscription = owner
+ permission admin_operations = maintainer + owner
+ permission admin_sentry = maintainer + owner
+ permission read_sentry_issue = reporter + developer + maintainer + owner
+ permission update_sentry_issue = developer + maintainer + owner
+
+ // Misc permissions
+ permission add_catalog_resource = owner
+ permission publish_catalog_version = developer + maintainer + owner
+ permission read_namespace_catalog = guest + reporter + developer + maintainer + owner
+ permission create_project = developer + maintainer + owner
+ permission request_access = guest
+ permission read_project_metadata = guest + reporter + developer + maintainer + owner
+ permission view_edit_page = developer + maintainer + owner
+ permission metrics_dashboard = reporter + developer + maintainer + owner
+ permission read_operations_dashboard = owner
+ permission use_k = developer + maintainer + owner
+ permission use_quick_actions = guest + reporter + developer + maintainer + owner
+ permission use_slash_commands = guest + reporter + developer + maintainer + owner
+ permission create_timelog = reporter + developer + maintainer + owner
+ permission admin_timelog = owner
+ permission read_timelog_category = guest + reporter + developer + maintainer + owner
+ permission create_todo = guest + reporter + developer + maintainer + owner
+ permission update_todo = guest + reporter + developer + maintainer + owner
+ permission read_todo = guest + reporter + developer + maintainer + owner
+ permission update_subscription = guest + reporter + developer + maintainer + owner
+ permission delete_project_subscription = owner
+ permission report_spam = guest + reporter + developer + maintainer + owner
+ permission read_issuable = guest + reporter + developer + maintainer + owner
+ permission read_issuable_participables = guest + reporter + developer + maintainer + owner
+ permission read_issuable_resource_link = guest + reporter + developer + maintainer + owner
+ permission admin_issuable_resource_link = developer + maintainer + owner
+ permission read_issuable_metric_image = reporter + developer + maintainer + owner
+ permission update_issuable_metric_image = developer + maintainer + owner
+ permission upload_issuable_metric_image = developer + maintainer + owner
+ permission destroy_issuable_metric_image = developer + maintainer + owner
+ permission read_incident_management_timeline_event = reporter + developer + maintainer + owner
+ permission admin_incident_management_timeline_event = developer + maintainer + owner
+ permission edit_incident_management_timeline_event = developer + maintainer + owner
+ permission read_incident_management_timeline_event_tag = reporter + developer + maintainer + owner
+ permission admin_incident_management_timeline_event_tag = maintainer + owner
+ permission read_incident_management_escalation_policy = reporter + developer + maintainer + owner
+ permission admin_incident_management_escalation_policy = maintainer + owner
+ permission read_incident_management_oncall_schedule = reporter + developer + maintainer + owner
+ permission admin_incident_management_oncall_schedule = maintainer + owner
+ permission update_escalation_status = developer + maintainer + owner
+ permission read_alert_management_alert = reporter + developer + maintainer + owner
+ permission update_alert_management_alert = developer + maintainer + owner
+ permission read_alert_management_metric_image = reporter + developer + maintainer + owner
+ permission update_alert_management_metric_image = developer + maintainer + owner
+ permission upload_alert_management_metric_image = developer + maintainer + owner
+ permission destroy_alert_management_metric_image = developer + maintainer + owner
+ permission publish_status_page = developer + maintainer + owner
+ permission rollover_issues = owner
+
+ // Resource access token permissions
+ permission read_resource_access_tokens = maintainer + owner
+ permission create_resource_access_tokens = owner
+ permission destroy_resource_access_tokens = owner
+ permission manage_resource_access_tokens = owner
+ permission admin_setting_to_allow_resource_access_token_creation = owner
+
+ // Path lock permissions
+ permission create_path_lock = developer + maintainer + owner
+ permission read_path_locks = guest + reporter + developer + maintainer + owner
+ permission admin_path_locks = maintainer + owner
+ permission destroy_path_lock = developer + maintainer + owner
+
+ // On-demand DAST scan permissions
+ permission create_on_demand_dast_scan = developer + maintainer + owner
+ permission read_on_demand_dast_scan = developer + maintainer + owner
+ permission edit_on_demand_dast_scan = developer + maintainer + owner
+
+ // Requirement permissions
+ permission create_requirement = reporter + developer + maintainer + owner
+ permission read_requirement = reporter + developer + maintainer + owner
+ permission update_requirement = reporter + developer + maintainer + owner
+ permission admin_requirement = maintainer + owner
+ permission destroy_requirement = maintainer + owner
+ permission import_requirements = developer + maintainer + owner
+ permission export_requirements = reporter + developer + maintainer + owner
+ permission create_requirement_test_report = reporter + developer + maintainer + owner
+
+ // Test case permissions
+ permission create_test_case = reporter + developer + maintainer + owner
+
+ // Secure file permissions
+ permission read_secure_files = developer + maintainer + owner
+ permission admin_secure_files = maintainer + owner
+
+ // License policy permissions
+ permission read_software_license_policy = reporter + developer + maintainer + owner
+ permission admin_software_license_policy = maintainer + owner
+
+ // Mirror permissions
+ permission admin_mirror = owner
+ permission admin_remote_mirror = owner
+
+ // Trigger permissions
+ permission admin_trigger = owner
+ permission manage_trigger = owner
+
+ // Cluster permissions
+ permission read_cluster = reporter + developer + maintainer + owner
+ permission add_cluster = maintainer + owner
+ permission create_cluster = maintainer + owner
+ permission update_cluster = maintainer + owner
+ permission admin_cluster = owner
+ permission read_cluster_agent = reporter + developer + maintainer + owner
+ permission read_cluster_environments = reporter + developer + maintainer + owner
+
+ // Prometheus and monitoring permissions
+ permission read_prometheus = reporter + developer + maintainer + owner
+ permission read_grafana = reporter + developer + maintainer + owner
+ permission read_pod_logs = developer + maintainer + owner
+
+ // Harbor registry permissions
+ permission read_harbor_registry = reporter + developer + maintainer + owner
+
+ // Build service proxy permissions
+ permission build_service_proxy_enabled = developer + maintainer + owner
+ permission create_build_service_proxy = developer + maintainer + owner
+
+ // Web IDE permissions
+ permission create_web_ide_terminal = developer + maintainer + owner
+ permission read_web_ide_terminal = developer + maintainer + owner
+ permission update_web_ide_terminal = developer + maintainer + owner
+
+ // Resource group permissions
+ permission read_resource_group = reporter + developer + maintainer + owner
+ permission update_resource_group = developer + maintainer + owner
+
+ // Deploy board permissions
+ permission read_deploy_board = reporter + developer + maintainer + owner
+
+ // External email permissions
+ permission read_external_emails = reporter + developer + maintainer + owner
+
+ // Import/Export permissions
+ permission read_import_error = owner
+ permission export_work_items = reporter + developer + maintainer + owner
+ permission import_work_items = developer + maintainer + owner
+
+ // Saved replies permissions
+ permission create_saved_replies = developer + maintainer + owner
+ permission read_saved_replies = guest + reporter + developer + maintainer + owner
+ permission update_saved_replies = developer + maintainer + owner
+ permission destroy_saved_replies = developer + maintainer + owner
+
+ // Other permissions
+ permission cache_blob = guest + reporter + developer + maintainer + owner
+ permission read_blob = guest + reporter + developer + maintainer + owner
+ permission read_commit = guest + reporter + developer + maintainer + owner
+ permission read_build_trace = developer + maintainer + owner
+ permission read_build_metadata = developer + maintainer + owner
+ permission jailbreak = owner
+ permission build_read_container_image = guest + ci_job_token
+ permission apply_suggestion = developer + maintainer + owner
+ permission read_project_subscription = guest + reporter + developer + maintainer + owner
+ permission read_storage_disk_path = owner
+ permission read_dora = reporter + developer + maintainer + owner
+ permission read_product_analytics = reporter + developer + maintainer + owner
+ permission modify_product_analytics_settings = owner
+ permission read_counts = reporter + developer + maintainer + owner
+ permission read_dependency = guest + reporter + developer + maintainer + owner
+ permission read_lifecycle = reporter + developer + maintainer + owner
+ permission read_usage_quotas = owner
+ permission read_limit_alert = owner
+ permission read_licenses = owner
+ permission read_scan = developer + maintainer + owner
+ permission read_event = guest + reporter + developer + maintainer + owner
+ permission read_parent = guest + reporter + developer + maintainer + owner
+ permission read_namespace = guest + reporter + developer + maintainer + owner
+ permission read_namespace_via_membership = guest + reporter + developer + maintainer + owner
+ permission read_nested_project_resources = guest + reporter + developer + maintainer + owner
+ permission view_globally = guest + reporter + developer + maintainer + owner
+ permission receive_notifications = guest + reporter + developer + maintainer + owner
+ permission read_enterprise_ai_analytics = reporter + developer + maintainer + owner
+ permission read_pro_ai_analytics = reporter + developer + maintainer + owner
+ permission read_component = guest + reporter + developer + maintainer + owner
+ permission read_component_version = guest + reporter + developer + maintainer + owner
+ permission read_application_setting = owner
+ permission read_resource_state_event = guest + reporter + developer + maintainer + owner
+ permission read_resource_weight_event = guest + reporter + developer + maintainer + owner
+ permission read_resource_iteration_event = guest + reporter + developer + maintainer + owner
+ permission read_resource_milestone_event = guest + reporter + developer + maintainer + owner
+ permission read_resource_label_event = guest + reporter + developer + maintainer + owner
+ permission read_deploy_key = maintainer + owner
+ permission update_deploy_key = maintainer + owner
+ permission update_deploy_key_title = maintainer + owner
+ permission update_deploy_keys_project = maintainer + owner
+ permission read_custom_emoji = guest + reporter + developer + maintainer + owner
+ permission create_custom_emoji = developer + maintainer + owner
+ permission delete_custom_emoji = owner
+ permission read_external_status_check = reporter + developer + maintainer + owner
+ permission read_external_status_check_response = developer + maintainer + owner
+ permission provide_status_check_response = developer + maintainer + owner
+ permission retry_failed_status_checks = developer + maintainer + owner
+ permission read_jobs_statistics = reporter + developer + maintainer + owner
+ permission read_finding_token_status = developer + maintainer + owner
+ permission read_ci_minutes_limited_summary = reporter + developer + maintainer + owner
+ permission admin_ci_minutes = owner
+ permission create_build_terminal = developer + maintainer + owner
+ permission read_builds = reporter + developer + maintainer + owner
+ permission read_user_achievement = guest + reporter + developer + maintainer + owner
+ permission destroy_user_achievement = owner
+ permission read_abuse_report = owner
+ permission read_emoji = guest + reporter + developer + maintainer + owner
+ permission read_dependency_list_export = developer + maintainer + owner
+ permission create_workspace = developer + maintainer + owner
+ permission read_workspace = developer + maintainer + owner
+ permission update_workspace = developer + maintainer + owner
+ permission read_workspace_variable = developer + maintainer + owner
+ permission read_workspaces_agent_config = developer + maintainer + owner
+ permission access_workspaces_feature = developer + maintainer + owner
+ permission modify_value_stream_dashboard_settings = owner
+ permission read_achievement = guest + reporter + developer + maintainer + owner
+ permission award_achievement = owner
+ permission admin_achievement = owner
+ permission read_all_workspaces = owner
+ permission read_crm_contact = reporter + developer + maintainer + owner
+ permission read_crm_contacts = reporter + developer + maintainer + owner
+ permission set_issue_crm_contacts = reporter + developer + maintainer + owner
+ permission admin_crm_contact = reporter + developer + maintainer + owner
+ permission read_crm_organization = reporter + developer + maintainer + owner
+ permission admin_crm_organization = reporter + developer + maintainer + owner
+ permission read_custom_field = guest + reporter + developer + maintainer + owner
+ permission admin_custom_field = owner
+ permission read_confidential_epic = reporter + developer + maintainer + owner
+ permission read_epic_iid = guest + reporter + developer + maintainer + owner
+ permission read_epic_relation = guest + reporter + developer + maintainer + owner
+ permission read_epic_link_relation = guest + reporter + developer + maintainer + owner
+ permission admin_epic_relation = developer + maintainer + owner
+ permission admin_epic_link_relation = developer + maintainer + owner
+ permission admin_epic_tree_relation = developer + maintainer + owner
+ permission read_duo_workflow_event = developer + maintainer + owner
+ permission read_geo_node = owner
+ permission read_geo_registry = owner
+ permission read_all_geo = owner
+ permission read_virtual_registry = guest + reporter + developer + maintainer + owner
+ permission read_application_statistics = owner
+ permission read_instance_metadata = owner
+ permission read_cloud_connector_status = owner
+ permission read_usage_trends_measurement = owner
+ permission read_billable_member = owner
+ permission read_billing = owner
+ permission edit_billing = owner
+ permission start_trial = owner
+ permission read_licensed_seat = owner
+ permission admin_licensed_seat = owner
+ permission read_member_role = guest + reporter + developer + maintainer + owner
+ permission admin_member_role = owner
+ permission view_member_roles = guest + reporter + developer + maintainer + owner
+ permission link = guest + reporter + developer + maintainer + owner
+ permission unlink = guest + reporter + developer + maintainer + owner
+ permission sign_in_with_saml_provider = guest + reporter + developer + maintainer + owner
+ permission read_saml_user = owner
+ permission read_group_saml_identity = owner
+ permission log_in = guest + reporter + developer + maintainer + owner
+ permission accept_terms = guest + reporter + developer + maintainer + owner
+ permission decline_terms = guest + reporter + developer + maintainer + owner
+ permission access_admin_area = owner
+ permission access_api = guest + reporter + developer + maintainer + owner
+ permission access_git = guest + reporter + developer + maintainer + owner
+ permission access_x_ray_on_instance = owner
+ permission access_advanced_vulnerability_management = developer + maintainer + owner
+ permission access_code_suggestions = developer + maintainer + owner
+ permission access_glab_ask_git_command = developer + maintainer + owner
+ permission execute_graphql_mutation = guest + reporter + developer + maintainer + owner
+ permission receive_notifications = guest + reporter + developer + maintainer + owner
+ permission approve_user = owner
+ permission reject_user = owner
+ permission block_pipl_user = owner
+ permission delete_pipl_user = owner
+ permission view_instance_devops_adoption = owner
+ permission manage_devops_adoption_namespaces = owner
+ permission read_admin_role = owner
+ permission create_admin_role = owner
+ permission update_admin_role = owner
+ permission delete_admin_role = owner
+ permission destroy_licenses = owner
+ permission export_user_permissions = owner
+ permission manage_subscription = owner
+ permission manage_duo_core_settings = owner
+ permission read_duo_core_settings = owner
+ permission manage_self_hosted_models_settings = owner
+ permission read_self_hosted_models_settings = owner
+ permission manage_ldap_admin_links = owner
+ permission read_runner_upgrade_status = owner
+ permission read_custom_attribute = owner
+ permission update_custom_attribute = owner
+ permission read_users_list = owner
+ permission read_admin_users = owner
+ permission read_admin_subscription = owner
+ permission read_admin_system_information = owner
+ permission read_admin_health_check = owner
+ permission read_admin_background_jobs = owner
+ permission read_admin_background_migrations = owner
+ permission read_admin_cicd = owner
+ permission read_admin_gitaly_servers = owner
+ permission read_admin_metrics_dashboard = owner
+ permission create_instance_runner = owner
+ permission update_max_pages_size = owner
+ permission delete_merge_train_car = maintainer + owner
+ permission provision_cloud_runner = owner
+ permission provision_gke_runner = owner
+ permission list_subgroup_epics = reporter + developer + maintainer + owner
+ permission get_user_associations_count = guest + reporter + developer + maintainer + owner
+ permission make_profile_private = guest + reporter + developer + maintainer + owner
+ permission disable_two_factor = owner
+ permission delete_conversation_thread = owner
+ permission audit_event_definitions = owner
+ permission delete_tag = maintainer + owner
+ permission update_deploy_token = maintainer + owner
+ permission update_deploy_key = maintainer + owner
+ permission update_deploy_key_title = maintainer + owner
+ permission update_deploy_keys_project = maintainer + owner
+ permission create_virtual_registry = owner
+ permission update_virtual_registry = owner
+ permission destroy_virtual_registry = owner
+ permission admin_dependency_proxy_packages_settings = owner
+ permission execute_duo_workflow_in_ci = developer + maintainer + owner
+ permission link_forked_project = developer + maintainer + owner
+ permission access_x_ray_on_instance = owner
+ permission read_runner_manager = owner
+ permission read_ephemeral_token = owner
+ permission rotate_token = owner
+ permission revoke_token = owner
+ permission read_token = owner
+ permission read_user_personal_access_tokens = owner
+ permission create_user_personal_access_token = owner
+ permission admin_user_email_address = owner
+ permission read_user_email_address = owner
+ permission read_user_groups = guest + reporter + developer + maintainer + owner
+ permission read_user_membership_counts = guest + reporter + developer + maintainer + owner
+ permission read_user_organizations = guest + reporter + developer + maintainer + owner
+ permission read_user_preference = guest + reporter + developer + maintainer + owner
+ permission read_user_profile = guest + reporter + developer + maintainer + owner
+ permission update_name = guest + reporter + developer + maintainer + owner
+ permission update_user = owner
+ permission update_user_status = guest + reporter + developer + maintainer + owner
+ permission destroy_user = owner
+ permission update_user_achievement = owner
+ permission update_owned_user_achievement = owner
+ permission read_usage = owner
+ permission view_type_of_work_charts = reporter + developer + maintainer + owner
+ permission admin_import_source_user = owner
+ permission create_group_with_default_branch_protection = owner
+ permission create_group_via_api = owner
+ permission update_escalation_status = developer + maintainer + owner
+ permission view_package_registry_project_settings = reporter + developer + maintainer + owner
+ permission admin_group_model_selection = owner
+ permission edit_on_demand_dast_scan = developer + maintainer + owner
+ permission edit_billing = owner
+ permission edit_group_approval_rule = owner
+ permission edit_approval_rule = maintainer + owner
+ permission admin_software_license_policy = maintainer + owner
+ permission read_software_license_policy = reporter + developer + maintainer + owner
+ permission bulk_admin_epic = owner
}
-definition group {
+definition user {
+ relation organization_member: organization
+ relation organization_owner: organization
+
+ permission admin_user = user + organization_owner
+ permission create_user_personal_access_token = user
+ permission manage_user_personal_access_token = user
+ permission read_user = user + organization_member + organization_owner
+
+ // Additional user permissions
+ permission read_user_profile = user
+ permission read_user_preference = user
+ permission read_user_email_address = user
+ permission admin_user_email_address = user + organization_owner
+ permission read_user_groups = user
+ permission read_user_organizations = user
+ permission read_user_membership_counts = user
+ permission read_user_personal_access_tokens = user
+ permission update_user = user
+ permission update_user_status = user
+ permission update_name = user
+ permission destroy_user = user + organization_owner
+ permission disable_two_factor = user + organization_owner
+ permission make_profile_private = user
+ permission get_user_associations_count = user
+ permission create_saved_replies = user
+ permission read_saved_replies = user
+ permission update_saved_replies = user
+ permission destroy_saved_replies = user
+ permission create_snippet = user
+ permission read_user_achievement = user
+ permission update_user_achievement = user + organization_owner
+ permission update_owned_user_achievement = user
+ permission destroy_user_achievement = user + organization_owner
+ permission receive_notifications = user
+ permission log_in = user
+ permission access_api = user
+ permission access_git = user
+ permission execute_graphql_mutation = user
+ permission use_quick_actions = user
+ permission use_slash_commands = user
+ permission request_access = user
+ permission export_user_permissions = organization_owner
+}
+
+// Wiki resource
+definition wiki_page {
+ relation project: project
+ relation group: group
+ relation author: user
+
+ permission read_wiki_page = project->read_wiki + group->read_wiki
+ permission create_note = project->create_note + group->create_note
+ permission read_note = project->read_note + group->read_note
+ permission update_subscription = project->guest_access + group->guest_access
+}
+
+// Snippet resource
+definition snippet {
+ relation project: project
+ relation author: user
+ relation namespace: user
+
+ permission read_snippet = author + project->read_snippet
+ permission admin_snippet = author + project->admin_snippet
+ permission update_snippet = author + project->update_snippet
+ permission cache_blob = author + project->guest_access
+ permission create_note = author + project->create_note
+ permission read_note = project->read_note
+ permission award_emoji = project->guest_access
}
-definition resource {
- relation reader: user | user:*
- relation writer: user | user:*
+// Milestone resource
+definition milestone {
+ relation project: project
+ relation group: group
+
+ permission read_milestone = project->read_milestone + group->read_milestone
+ permission admin_milestone = project->admin_milestone + group->admin_milestone
+ permission read_resource_milestone_event = project->read_resource_milestone_event + group->read_resource_milestone_event
+}
+
+// Label resource
+definition label {
+ relation project: project
+ relation group: group
+
+ permission read_label = project->read_label + group->read_label
+ permission admin_label = project->admin_label + group->admin_label
+ permission read_resource_label_event = project->read_resource_label_event + group->read_resource_label_event
+}
+
+// Tag resource
+definition tag {
+ relation project: project
+ relation creator: user
+
+ permission delete_tag = project->delete_tag
+ permission admin_tag = project->admin_tag
+}
+
+// Branch resource
+definition branch {
+ relation project: project
+
+ permission create_branch_rule = project->create_branch_rule
+ permission read_branch_rule = project->read_branch_rule
+ permission update_branch_rule = project->update_branch_rule
+ permission destroy_branch_rule = project->destroy_branch_rule
+}
+
+// Protected branch resource
+definition protected_branch {
+ relation project: project
+
+ permission create_protected_branch = project->create_protected_branch
+ permission read_protected_branch = project->read_protected_branch
+ permission update_protected_branch = project->update_protected_branch
+ permission destroy_protected_branch = project->destroy_protected_branch
+ permission admin_protected_branch = project->admin_protected_branch
+}
+
+// Protected tag resource
+definition protected_tag {
+ relation project: project
+
+ permission create_protected_tags = project->create_protected_tags
+ permission read_protected_tags = project->read_protected_tags
+ permission update_protected_tags = project->update_protected_tags
+ permission destroy_protected_tags = project->destroy_protected_tags
+ permission manage_protected_tags = project->manage_protected_tags
+}
+
+// Pipeline schedule resource
+definition pipeline_schedule {
+ relation project: project
+ relation owner: user
+
+ permission read_pipeline_schedule = project->read_pipeline_schedule
+ permission update_pipeline_schedule = owner + project->update_pipeline_schedule
+ permission admin_pipeline_schedule = project->admin_pipeline_schedule
+ permission play_pipeline_schedule = owner + project->play_pipeline_schedule
+ permission take_ownership_pipeline_schedule = project->take_ownership_pipeline_schedule
+ permission read_pipeline_schedule_variables = project->read_pipeline_schedule_variables
+}
- permission read = reader + writer
- permission create = writer
- permission update = writer
- permission delete = writer
+// Feature flag resource
+definition feature_flag {
+ relation project: project
+
+ permission create_feature_flag = project->create_feature_flag
+ permission read_feature_flag = project->read_feature_flag
+ permission update_feature_flag = project->update_feature_flag
+ permission admin_feature_flag = project->admin_feature_flag
+ permission destroy_feature_flag = project->destroy_feature_flag
+ permission admin_feature_flags_client = project->admin_feature_flags_client
+ permission admin_feature_flags_user_lists = project->admin_feature_flags_user_lists
+ permission admin_feature_flags_issue_links = project->admin_feature_flags_issue_links
}
+
+// Alert management resource
+definition alert {
+ relation project: project
+
+ permission read_alert_management_alert = project->read_alert_management_alert
+ permission update_alert_management_alert = project->update_alert_management_alert
+ permission read_alert_management_metric_image = project->read_alert_management_metric_image
+ permission update_alert_management_metric_image = project->update_alert_management_metric_image
+ permission upload_alert_management_metric_image = project->upload_alert_management_metric_image
+ permission destroy_alert_management_metric_image = project->destroy_alert_management_metric_image
+}
+
+// Incident management resource
+definition incident {
+ relation project: project
+
+ permission read_incident_management_timeline_event = project->read_incident_management_timeline_event
+ permission admin_incident_management_timeline_event = project->admin_incident_management_timeline_event
+ permission edit_incident_management_timeline_event = project->edit_incident_management_timeline_event
+ permission read_incident_management_timeline_event_tag = project->read_incident_management_timeline_event_tag
+ permission admin_incident_management_timeline_event_tag = project->admin_incident_management_timeline_event_tag
+ permission read_incident_management_escalation_policy = project->read_incident_management_escalation_policy
+ permission admin_incident_management_escalation_policy = project->admin_incident_management_escalation_policy
+ permission read_incident_management_oncall_schedule = project->read_incident_management_oncall_schedule
+ permission admin_incident_management_oncall_schedule = project->admin_incident_management_oncall_schedule
+ permission update_escalation_status = project->update_escalation_status
+}
+
+// On-demand DAST scan resource
+definition on_demand_dast_scan {
+ relation project: project
+
+ permission create_on_demand_dast_scan = project->create_on_demand_dast_scan
+ permission read_on_demand_dast_scan = project->read_on_demand_dast_scan
+ permission edit_on_demand_dast_scan = project->edit_on_demand_dast_scan
+}
+
+// Requirement resource
+definition requirement {
+ relation project: project
+
+ permission create_requirement = project->create_requirement
+ permission read_requirement = project->read_requirement
+ permission update_requirement = project->update_requirement
+ permission admin_requirement = project->admin_requirement
+ permission destroy_requirement = project->destroy_requirement
+}
+
+// Build resource
+definition build {
+ relation project: project
+ relation pipeline: pipeline
+ relation user: user
+
+ permission read_build = project->read_build
+ permission read_build_trace = project->read_build_trace
+ permission read_build_metadata = project->read_build_metadata
+ permission read_job_artifacts = project->read_job_artifacts
+ permission update_build = project->update_build
+ permission cancel_build = user + project->cancel_build
+ permission erase_build = project->erase_build
+ permission play_job = project->play_job
+ permission create_build_terminal = project->create_build_terminal
+ permission read_web_ide_terminal = project->read_web_ide_terminal
+ permission update_web_ide_terminal = project->update_web_ide_terminal
+ permission create_build_service_proxy = project->create_build_service_proxy
+ permission update_commit_status = project->update_commit_status
+}
+
+// CI job resource (enhanced)
+definition ci_job {
+ relation pipeline: pipeline
+ relation project: project
+ relation runner: runner
+
+ permission create_build = project->create_pipeline
+ permission download_code = project->download_code
+ permission read_build = project->read_build
+ permission read_container_image = project->read_container_image
+ permission read_project = project->read_project
+ permission read_ci_minutes_limited_summary = project->read_ci_minutes_limited_summary
+ permission jailbreak = project->jailbreak
+}
+
+// Pipeline resource (enhanced)
+definition pipeline {
+ relation author: user
+ relation ci_job_token: ci_job
+ relation project: project
+
+ permission admin_pipeline = project->admin_pipeline
+ permission cancel_pipeline = project->developer + author
+ permission read_pipeline = project->read_project
+ permission update_pipeline = project->developer + author + ci_job_token
+ permission destroy_pipeline = project->destroy_pipeline
+ permission read_pipeline_metadata = project->read_pipeline_metadata
+ permission read_pipeline_variable = project->read_pipeline_variable
+}
+
+// Runner resource (enhanced)
+definition runner {
+ relation group: group
+ relation instance: organization
+ relation organization: organization
+ relation project: project
+
+ permission admin_runner = project->admin_runner + group->admin_runner + organization->admin_organization
+ permission assign_runner = project->maintainer + group->maintainer + organization->admin
+ permission read_runner = project->read_project + group->read + organization->read
+ permission update_runner = project->admin_runner + group->admin_runner + organization->admin
+ permission delete_runner = project->admin_runner + group->admin_runner + organization->admin
+ permission read_builds = project->read_build + group->developer + organization->admin
+ permission read_ephemeral_token = project->admin_runner + group->admin_runner + organization->admin
+}
+
+// Issue resource (enhanced)
+definition issue {
+ relation assignee: user
+ relation author: user
+ relation epic: epic
+ relation project: project
+
+ permission admin_issue = project->admin_issue
+ permission create_issue = project->create_issue
+ permission promote_to_epic = project->reporter
+ permission read_issue = project->read_project
+ permission set_confidentiality = project->reporter
+ permission update_issue = project->admin_issue + author + assignee
+ permission reopen_issue = project->reopen_issue
+ permission destroy_issue = project->destroy_issue
+ permission clone_issue = project->clone_issue
+ permission move_issue = project->move_issue
+ permission set_issue_metadata = project->set_issue_metadata
+ permission set_issue_crm_contacts = project->set_issue_crm_contacts
+ permission set_issue_iid = project->set_issue_iid
+ permission set_issue_created_at = project->set_issue_created_at
+ permission set_issue_updated_at = project->set_issue_updated_at
+ permission admin_issue_link = project->admin_issue_link
+ permission read_issue_link = project->read_issue_link
+ permission admin_issue_relation = project->admin_issue_relation
+ permission create_note = project->create_note
+ permission read_note = project->read_note
+ permission admin_note = project->admin_note
+ permission award_emoji = project->award_emoji
+ permission create_todo = project->create_todo
+ permission mark_note_as_internal = project->mark_note_as_internal
+ permission read_crm_contacts = project->read_crm_contacts
+ permission update_subscription = project->update_subscription
+}
+
+// Merge request resource (enhanced)
+definition merge_request {
+ relation assignee: user
+ relation author: user
+ relation project: project
+ relation reviewer: user
+
+ permission accept_merge_request = project->accept_merge_request
+ permission admin_merge_request = project->developer + author
+ permission approve_merge_request = project->approve_merge_request + reviewer
+ permission create_merge_request_from = project->create_merge_request_from
+ permission read_merge_request = project->read_project
+ permission update_merge_request = project->update_merge_request
+ permission destroy_merge_request = project->destroy_merge_request
+ permission reopen_merge_request = project->reopen_merge_request
+ permission set_merge_request_metadata = project->set_merge_request_metadata
+ permission create_merge_request_approval_rules = project->create_merge_request_approval_rules
+ permission update_approvers = project->update_approvers
+ permission reset_merge_request_approvals = project->reset_merge_request_approvals
+ permission create_todo = project->create_todo
+ permission mark_note_as_internal = project->mark_note_as_internal
+ permission update_subscription = project->update_subscription
+ permission access_generate_commit_message = project->access_generate_commit_message
+ permission access_summarize_review = project->access_summarize_review
+ permission provide_status_check_response = project->provide_status_check_response
+ permission read_external_status_check_response = project->read_external_status_check_response
+ permission retry_failed_status_checks = project->retry_failed_status_checks
+}
+
+// Epic resource (enhanced)
+definition epic {
+ relation assignee: user
+ relation author: user
+ relation group: group
+
+ permission admin_epic = group->admin_epic + author
+ permission create_epic = group->reporter
+ permission read_epic = group->read
+ permission update_epic = group->admin_epic + author + assignee
+ permission destroy_epic = group->owner
+ permission set_epic_metadata = group->reporter
+ permission set_epic_created_at = group->owner
+ permission set_epic_updated_at = group->owner
+ permission set_confidentiality = group->reporter
+ permission admin_epic_relation = group->developer
+ permission admin_epic_link_relation = group->developer
+ permission admin_epic_tree_relation = group->developer
+ permission create_epic_tree_relation = group->developer
+ permission read_epic_iid = group->read
+ permission read_epic_relation = group->read
+ permission read_epic_link_relation = group->read
+ permission create_note = group->create_note
+ permission read_note = group->read_note
+ permission admin_note = group->admin_note
+ permission award_emoji = group->award_emoji
+ permission create_todo = group->create_todo
+ permission mark_note_as_internal = group->mark_note_as_internal
+ permission measure_comment_temperature = group->measure_comment_temperature
+ permission read_issuable = group->read
+ permission read_issuable_participables = group->read
+ permission resolve_note = group->developer
+ permission summarize_comments = group->summarize_comments
+}
+
+// Work item resource (enhanced)
+definition work_item {
+ relation assignee: user
+ relation author: user
+ relation project: project
+
+ permission admin_work_item = project->admin_issue
+ permission create_work_item = project->create_issue
+ permission read_work_item = project->read_project
+ permission update_work_item = project->admin_issue + author + assignee
+ permission delete_work_item = project->owner
+ permission clone_work_item = project->clone_work_item
+ permission move_work_item = project->move_work_item
+ permission set_work_item_metadata = project->set_work_item_metadata
+ permission admin_work_item_link = project->admin_work_item_link
+ permission admin_parent_link = project->admin_parent_link
+ permission report_spam = project->report_spam
+}
+
+// Vulnerability resource (enhanced)
+definition vulnerability {
+ relation author: user
+ relation finding: finding
+ relation project: project
+
+ permission admin_vulnerability = project->admin_vulnerability
+ permission create_vulnerability_feedback = project->create_vulnerability_feedback
+ permission read_vulnerability = project->read_vulnerability
+ permission read_vulnerability_representation_information = project->read_vulnerability_representation_information
+ permission create_external_issue_link = project->create_external_issue_link
+}
+
+// Finding resource (enhanced)
+definition finding {
+ relation project: project
+ relation scanner: scanner
+
+ permission admin_finding = project->admin_vulnerability
+ permission read_finding = project->read_vulnerability
+ permission read_finding_token_status = project->read_finding_token_status
+}
+
+// Container repository resource (enhanced)
+definition container_repository {
+ relation group: group
+ relation project: project
+
+ permission admin_container_image = project->admin_container_image
+ permission destroy_container_image = project->admin_container_image
+ permission read_container_image = project->read_container_image + group->read_container_image
+ permission create_container_image = project->create_container_image
+ permission update_container_image = project->update_container_image
+ permission destroy_container_image_tag = project->destroy_container_image_tag
+}
+
+// Package resource (enhanced)
+definition package {
+ relation group: group
+ relation project: project
+
+ permission admin_package = project->admin_package + group->admin_package
+ permission create_package = project->developer
+ permission destroy_package = project->admin_package
+ permission read_package = project->read_package + group->read_package
+ permission read_package_within_public_registries = project->read_package_within_public_registries + group->read_package_within_public_registries
+}
+
+// Environment resource (enhanced)
+definition environment {
+ relation deployment: deployment
+ relation project: project
+
+ permission admin_environment = project->maintainer
+ permission read_environment = project->read_project
+ permission stop_environment = project->developer
+ permission create_environment = project->create_environment
+ permission update_environment = project->update_environment
+ permission destroy_environment = project->destroy_environment
+ permission create_environment_terminal = project->create_environment_terminal
+}
+
+// Deployment resource (enhanced)
+definition deployment {
+ relation author: user
+ relation environment: environment
+ relation project: project
+
+ permission admin_deployment = project->maintainer
+ permission approve_deployment = project->maintainer
+ permission read_deployment = project->read_project
+ permission create_deployment = project->create_deployment
+ permission update_deployment = project->update_deployment
+ permission destroy_deployment = project->destroy_deployment
+ permission read_pages_deployments = project->read_pages_deployments
+ permission update_pages_deployments = project->update_pages_deployments
+}
+
+// Member role resource (enhanced)
+definition member_role {
+ relation group: group
+ relation organization: organization
+
+ permission admin_member_role = group->owner + organization->admin
+ permission read_member_role = group->read + organization->read
+ permission delete_admin_role = organization->admin
+ permission read_admin_role = organization->admin
+ permission update_admin_role = organization->admin
+}
+
+// Compliance framework resource (enhanced)
+definition compliance_framework {
+ relation group: group
+ relation organization: organization
+
+ permission admin_compliance_framework = group->admin_compliance_framework + organization->admin_compliance_framework
+ permission read_compliance_framework = group->read + organization->read
+ permission admin_compliance_pipeline_configuration = group->admin_compliance_pipeline_configuration
+}
+
+// Audit event resource (enhanced)
+definition audit_event {
+ relation group: group
+ relation project: project
+ relation organization: organization
+
+ permission admin_external_audit_events = group->owner + organization->admin_external_audit_events
+ permission read_audit_event = group->owner + project->owner + organization->admin
+ permission read_admin_audit_log = organization->admin
+ permission admin_instance_external_audit_events = organization->admin
+ permission audit_event_definitions = organization->admin
+}
+
+// Deploy token resource (enhanced)
+definition deploy_token {
+ relation project: project
+ relation group: group
+
+ permission read_registry = project->read_container_image + group->read_container_image
+ permission read_repository = project->read_code + group->read_code
+ permission write_registry = project->developer + group->developer
+ permission create_deploy_token = project->create_deploy_token + group->create_deploy_token
+ permission update_deploy_token = project->update_deploy_token + group->manage_deploy_tokens
+}
+
+// Personal access token resource (enhanced)
+definition personal_access_token {
+ relation user: user
+ relation organization: organization
+
+ permission admin_token = user->user + organization->admin
+ permission use_token = user->user + organization->member
+ permission read_token = user->user
+ permission revoke_token = user->user + organization->admin
+ permission rotate_token = user->user
+}
+
+// Scanner resource (enhanced)
+definition scanner {
+ relation project: project
+ relation group: group
+
+ permission admin_scanner = project->admin_vulnerability + group->admin_vulnerability
+ permission read_scanner = project->read_project + group->read
+ permission read_scan = project->read_scan
+}
+
+// Note resource
+definition note {
+ relation project: project
+ relation group: group
+ relation author: user
+ relation noteable_issue: issue
+ relation noteable_merge_request: merge_request
+ relation noteable_epic: epic
+
+ permission read_note = project->read_note + group->read_note + author
+ permission admin_note = project->admin_note + group->admin_note + author
+ permission update_note = author + project->admin_note + group->admin_note
+ permission resolve_note = project->resolve_note + group->resolve_note
+ permission reposition_note = project->reposition_note + group->reposition_note
+ permission mark_note_as_internal = project->mark_note_as_internal + group->mark_note_as_internal
+ permission award_emoji = project->award_emoji + group->award_emoji
+}
+
+// Todo resource
+definition todo {
+ relation user: user
+ relation project: project
+ relation group: group
+
+ permission read_todo = user
+ permission update_todo = user
+}
+
+// Timelog resource
+definition timelog {
+ relation project: project
+ relation group: group
+ relation user: user
+
+ permission admin_timelog = project->admin_timelog + group->admin_timelog
+ permission create_timelog = project->create_timelog + group->create_timelog
+}
+
+// Custom emoji resource
+definition custom_emoji {
+ relation group: group
+ relation creator: user
+
+ permission read_custom_emoji = group->read_custom_emoji
+ permission delete_custom_emoji = group->delete_custom_emoji + creator
+}
+
+// Saved reply resource
+definition saved_reply {
+ relation user: user
+ relation project: project
+ relation group: group
+
+ permission create_saved_replies = user + project->create_saved_replies + group->create_saved_replies
+ permission read_saved_replies = user + project->read_saved_replies + group->read_saved_replies
+ permission update_saved_replies = user + project->update_saved_replies + group->update_saved_replies
+ permission destroy_saved_replies = user + project->destroy_saved_replies + group->destroy_saved_replies
+}
+
+// Achievement resource
+definition achievement {
+ relation namespace: group
+ relation user: user
+
+ permission read_achievement = namespace->read_achievement
+ permission admin_achievement = namespace->admin_achievement
+ permission award_achievement = namespace->award_achievement
+ permission read_user_achievement = user
+ permission update_user_achievement = namespace->admin_achievement
+ permission update_owned_user_achievement = user
+ permission destroy_user_achievement = namespace->admin_achievement
+}
+
+// Virtual registry resource
+definition virtual_registry {
+ relation group: group
+
+ permission read_virtual_registry = group->read_virtual_registry
+ permission create_virtual_registry = group->create_virtual_registry
+ permission update_virtual_registry = group->update_virtual_registry
+ permission destroy_virtual_registry = group->destroy_virtual_registry
+}
+
+// Workspace resource
+definition workspace {
+ relation project: project
+ relation user: user
+
+ permission create_workspace = project->create_workspace
+ permission read_workspace = project->read_workspace + user
+ permission update_workspace = project->update_workspace + user
+ permission read_workspace_variable = project->read_workspace_variable
+ permission read_workspaces_agent_config = project->read_workspaces_agent_config
+ permission access_workspaces_feature = project->access_workspaces_feature
+ permission read_all_workspaces = project->owner
+}
+
+// CRM contact resource
+definition crm_contact {
+ relation group: group
+
+ permission read_crm_contact = group->read_crm_contact
+ permission admin_crm_contact = group->admin_crm_contact
+}
+
+// CRM organization resource
+definition crm_organization {
+ relation group: group
+
+ permission read_crm_organization = group->read_crm_organization
+ permission admin_crm_organization = group->admin_crm_organization
+}
+
+// Custom field resource
+definition custom_field {
+ relation project: project
+ relation group: group
+
+ permission read_custom_field = project->read_custom_field + group->read_custom_field
+ permission admin_custom_field = project->admin_custom_field + group->admin_custom_field
+}
+
+// Duo workflow resource
+definition duo_workflow {
+ relation group: group
+ relation project: project
+
+ permission admin_duo_workflow = group->admin_duo_workflow
+ permission read_duo_workflow = group->read_duo_workflow + project->duo_workflow
+ permission update_duo_workflow = group->update_duo_workflow
+ permission destroy_duo_workflow = group->destroy_duo_workflow
+ permission execute_duo_workflow_in_ci = group->execute_duo_workflow_in_ci + project->execute_duo_workflow_in_ci
+ permission read_duo_workflow_event = group->read_duo_workflow_event + project->read_duo_workflow_event
+}
+
+// Group stage resource
+definition group_stage {
+ relation group: group
+
+ permission create_group_stage = group->create_group_stage
+ permission read_group_stage = group->read_group_stage
+ permission update_group_stage = group->update_group_stage
+ permission delete_group_stage = group->delete_group_stage
+}
+
+// Resource access token resource
+definition resource_access_token {
+ relation project: project
+ relation group: group
+
+ permission read_resource_access_tokens = project->read_resource_access_tokens + group->read_resource_access_tokens
+ permission create_resource_access_tokens = project->create_resource_access_tokens + group->create_resource_access_tokens
+ permission destroy_resource_access_tokens = project->destroy_resource_access_tokens + group->destroy_resource_access_tokens
+ permission manage_resource_access_tokens = project->manage_resource_access_tokens + group->manage_resource_access_tokens
+}
+
+// Cluster resource
+definition cluster {
+ relation project: project
+ relation group: group
+ relation instance: organization
+
+ permission read_cluster = project->read_cluster + group->read_cluster + instance->read
+ permission add_cluster = project->add_cluster + group->add_cluster + instance->admin
+ permission create_cluster = project->create_cluster + group->create_cluster + instance->admin
+ permission update_cluster = project->update_cluster + group->update_cluster + instance->admin
+ permission admin_cluster = project->admin_cluster + group->admin_cluster + instance->admin
+ permission read_cluster_environments = project->read_cluster_environments + group->read_cluster_environments + instance->read
+ permission use_k = project->use_k + group->use_k + instance->admin
+}
+
+// Cluster agent resource
+definition cluster_agent {
+ relation project: project
+ relation group: group
+ relation organization: organization
+
+ permission read_cluster_agent = project->read_cluster_agent + group->read_cluster_agent + organization->read_organization_cluster_agent_mapping
+ permission admin_namespace_cluster_agent_mapping = group->admin_namespace_cluster_agent_mapping
+ permission admin_organization_cluster_agent_mapping = organization->admin_organization_cluster_agent_mapping
+ permission read_namespace_cluster_agent_mapping = group->read_namespace_cluster_agent_mapping
+ permission read_organization_cluster_agent_mapping = organization->read_organization_cluster_agent_mapping
+}
+
+// Service account resource
+definition service_account {
+ relation organization: organization
+ relation group: group
+
+ permission admin_service_accounts = organization->admin_service_accounts + group->admin_service_accounts
+ permission create_service_account = organization->create_service_account + group->create_service_account
+ permission delete_service_account = organization->delete_service_account + group->delete_service_account
+ permission admin_service_account_member = group->admin_service_account_member
+}
+
+// Import source user resource
+definition source_user {
+ relation namespace: group
+
+ permission admin_import_source_user = namespace->owner
+}
+
+// Admin role resource
+definition admin_role {
+ relation organization: organization
+
+ permission read_admin_role = organization->admin
+ permission create_admin_role = organization->admin
+ permission update_admin_role = organization->admin
+ permission delete_admin_role = organization->admin
+}
+
+// Terms resource
+definition term {
+ relation user: user
+
+ permission accept_terms = user
+ permission decline_terms = user
+}
+
+// SAML provider resource
+definition saml_provider {
+ relation group: group
+
+ permission sign_in_with_saml_provider = group->guest_access
+ permission admin_group_saml = group->admin_group_saml
+ permission read_group_saml_identity = group->read_group_saml_identity
+ permission admin_saml_group_links = group->admin_saml_group_links
+ permission read_saml_user = group->read_saml_user
+}
+
+// Thread resource (for conversations)
+definition thread {
+ relation user: user
+
+ permission delete_conversation_thread = user
+}
+
+// Global resource for instance-wide permissions
+definition global {
+ relation admin: user
+ relation user: user
+
+ permission access_admin_area = admin
+ permission access_api = user
+ permission access_git = user
+ permission access_code_suggestions = user
+ permission access_duo_chat = user
+ permission access_duo_core_features = user
+ permission access_glab_ask_git_command = user
+ permission access_workspaces_feature = user
+ permission access_x_ray_on_instance = admin
+ permission admin_instance_external_audit_events = admin
+ permission admin_member_role = admin
+ permission admin_service_accounts = admin
+ permission admin_web_hook = admin
+ permission approve_user = admin
+ permission create_admin_role = admin
+ permission create_group = user
+ permission create_group_via_api = user
+ permission create_group_with_default_branch_protection = admin
+ permission create_instance_runner = admin
+ permission create_organization = admin
+ permission create_snippet = user
+ permission destroy_licenses = admin
+ permission execute_graphql_mutation = user
+ permission export_user_permissions = admin
+ permission log_in = user
+ permission manage_devops_adoption_namespaces = admin
+ permission manage_duo_core_settings = admin
+ permission manage_ldap_admin_links = admin
+ permission manage_self_hosted_models_settings = admin
+ permission manage_subscription = admin
+ permission read_admin_audit_log = admin
+ permission read_admin_background_jobs = admin
+ permission read_admin_background_migrations = admin
+ permission read_admin_cicd = admin
+ permission read_admin_gitaly_servers = admin
+ permission read_admin_health_check = admin
+ permission read_admin_metrics_dashboard = admin
+ permission read_admin_role = admin
+ permission read_admin_subscription = admin
+ permission read_admin_system_information = admin
+ permission read_admin_users = admin
+ permission read_all_geo = admin
+ permission read_all_workspaces = admin
+ permission read_application_statistics = admin
+ permission read_billable_member = admin
+ permission read_cloud_connector_status = admin
+ permission read_custom_attribute = admin
+ permission read_instance_metadata = admin
+ permission read_jobs_statistics = admin
+ permission read_licenses = admin
+ permission read_member_role = admin
+ permission read_operations_dashboard = admin
+ permission read_runner_upgrade_status = admin
+ permission read_runner_usage = admin
+ permission read_usage_trends_measurement = admin
+ permission read_users_list = admin
+ permission read_web_hook = admin
+ permission receive_notifications = user
+ permission reject_user = admin
+ permission update_custom_attribute = admin
+ permission update_max_pages_size = admin
+ permission use_project_statistics_filters = user
+ permission use_quick_actions = user
+ permission use_slash_commands = user
+ permission view_instance_devops_adoption = admin
+ permission view_member_roles = user
+ permission view_productivity_analytics = user
+ permission read_duo_core_settings = admin
+ permission read_self_hosted_models_settings = admin
+} \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-01 22:57:41 +0000