// Comprehensive GitLab SpiceDB Schema // Based on systematic analysis of 798 GitLab permissions from 487+ policy files // Includes all permissions from app/policies and ee/app/policies // Full support for CI_JOB_TOKEN permissions and Custom Roles definition organization { relation admin: user relation member: user relation owner: user // Core permissions permission read = member + admin + owner permission admin_organization = admin + owner permission create_group = member + admin + owner permission admin_compliance_framework = admin + owner permission admin_external_audit_events = admin + owner // Additional organization permissions permission create_organization = admin + owner permission admin_instance_external_audit_events = admin + owner permission read_organization = member + admin + owner permission read_all_organization_resources = admin + owner permission admin_service_accounts = admin + owner permission create_service_account = admin + owner permission delete_service_account = admin + owner permission admin_organization_cluster_agent_mapping = admin + owner permission read_organization_cluster_agent_mapping = member + admin + owner permission read_organization_user = member + admin + owner permission update_organization_user = admin + owner permission remove_user = admin + owner permission delete_user = admin + owner permission admin_add_on_purchase = admin + owner permission manage_destroy = admin + owner } definition group { relation developer: user relation group_bot: user relation guest: user relation maintainer: user relation organization: organization relation owner: user relation parent_group: group relation planner: user relation reporter: user relation service_account: user // Core access permissions permission read = guest + reporter + developer + maintainer + owner + organization->member + parent_group->read permission read_group = guest + reporter + developer + maintainer + owner + organization->member + parent_group->read permission guest_access = guest + reporter + developer + maintainer + owner permission reporter_access = reporter + developer + maintainer + owner permission developer_access = developer + maintainer + owner permission maintainer_access = maintainer + owner permission owner_access = owner permission planner_access = planner + reporter + developer + maintainer + owner permission project_bot_access = group_bot // Administrative permissions permission admin_group = owner + organization->admin_organization permission admin_group_member = maintainer + owner permission admin_compliance_framework = owner + organization->admin_compliance_framework permission admin_epic = reporter + developer + maintainer + owner permission admin_cicd_variables = maintainer + owner permission admin_runner = owner permission admin_vulnerability = developer + maintainer + owner permission archive_group = owner permission remove_group = owner permission change_visibility_level = owner // Wiki permissions permission create_wiki = developer + maintainer + owner permission admin_wiki = maintainer + owner permission read_wiki = guest + reporter + developer + maintainer + owner permission download_wiki_code = reporter + developer + maintainer + owner // Milestone and iteration permissions permission admin_milestone = reporter + developer + maintainer + owner permission read_milestone = guest + reporter + developer + maintainer + owner permission create_milestone = reporter + developer + maintainer + owner permission admin_iteration = reporter + developer + maintainer + owner permission read_iteration = guest + reporter + developer + maintainer + owner permission create_iteration = developer + maintainer + owner permission admin_iteration_cadence = developer + maintainer + owner permission read_iteration_cadence = guest + reporter + developer + maintainer + owner permission create_iteration_cadence = developer + maintainer + owner // Label permissions permission admin_label = reporter + developer + maintainer + owner permission read_label = guest + reporter + developer + maintainer + owner permission read_group_labels = guest + reporter + developer + maintainer + owner // Issue board permissions permission admin_issue_board = reporter + developer + maintainer + owner permission read_issue_board = guest + reporter + developer + maintainer + owner permission admin_issue_board_list = reporter + developer + maintainer + owner permission read_issue_board_list = guest + reporter + developer + maintainer + owner // Epic board permissions (EE) permission admin_epic_board = reporter + developer + maintainer + owner permission read_epic_board = guest + reporter + developer + maintainer + owner permission admin_epic_board_list = reporter + developer + maintainer + owner permission read_epic_board_list = guest + reporter + developer + maintainer + owner // Package and container permissions permission admin_package = maintainer + owner permission read_package = guest + reporter + developer + maintainer + owner permission create_package = developer + maintainer + owner permission destroy_package = maintainer + owner permission read_container_image = guest + reporter + developer + maintainer + owner // Security permissions permission read_security_dashboard = reporter + developer + maintainer + owner permission read_group_security_dashboard = reporter + developer + maintainer + owner permission access_security_and_compliance = developer + maintainer + owner permission admin_vulnerability = developer + maintainer + owner permission read_vulnerability = reporter + developer + maintainer + owner permission resolve_vulnerability_with_ai = developer + maintainer + owner // Analytics permissions permission read_group_analytics_dashboards = reporter + developer + maintainer + owner permission view_productivity_analytics = reporter + developer + maintainer + owner permission read_group_activity_analytics = reporter + developer + maintainer + owner permission read_group_contribution_analytics = reporter + developer + maintainer + owner permission read_group_repository_analytics = reporter + developer + maintainer + owner permission view_group_devops_adoption = reporter + developer + maintainer + owner permission view_group_ci_cd_analytics = reporter + developer + maintainer + owner permission read_ci_cd_analytics = reporter + developer + maintainer + owner permission read_group_build_report_results = reporter + developer + maintainer + owner permission read_group_coverage_reports = reporter + developer + maintainer + owner // Compliance permissions permission read_compliance_dashboard = reporter + developer + maintainer + owner permission admin_compliance_pipeline_configuration = owner permission read_compliance_adherence_report = developer + maintainer + owner permission read_compliance_violations_report = developer + maintainer + owner permission read_group_audit_events = owner // Member management permission admin_member_access_request = maintainer + owner permission read_member_access_request = guest + reporter + developer + maintainer + owner permission invite_group_members = maintainer + owner permission override_group_member = owner permission activate_group_member = maintainer + owner permission ban_group_member = owner permission destroy_group_member = owner permission update_group_member = maintainer + owner // Service account permissions permission admin_service_account_member = owner permission create_service_account = owner permission delete_service_account = owner // Runner permissions permission register_group_runners = maintainer + owner permission admin_group_or_admin_runner = owner permission read_group_runners = reporter + developer + maintainer + owner permission read_group_all_available_runners = reporter + developer + maintainer + owner // CRM permissions (EE) permission admin_crm_contact = reporter + developer + maintainer + owner permission read_crm_contact = guest + reporter + developer + maintainer + owner permission admin_crm_organization = reporter + developer + maintainer + owner permission read_crm_organization = guest + reporter + developer + maintainer + owner // Custom field permissions (EE) permission admin_custom_field = owner permission read_custom_field = guest + reporter + developer + maintainer + owner // Deploy token permissions permission create_deploy_token = maintainer + owner permission read_deploy_token = maintainer + owner permission destroy_deploy_token = maintainer + owner permission manage_deploy_tokens = maintainer + owner permission update_group_deploy_key = maintainer + owner permission update_group_deploy_key_for_group = maintainer + owner // Dependency proxy permissions permission admin_dependency_proxy = owner permission read_dependency_proxy = guest + reporter + developer + maintainer + owner // AI/Duo permissions permission access_duo_features = developer + maintainer + owner permission access_duo_chat = developer + maintainer + owner permission access_ai_review_mr = developer + maintainer + owner permission admin_duo_workflow = owner permission read_duo_workflow = developer + maintainer + owner permission update_duo_workflow = maintainer + owner permission destroy_duo_workflow = owner permission execute_duo_workflow_in_ci = developer + maintainer + owner // Group settings permissions permission change_share_with_group_lock = owner permission change_prevent_sharing_groups_outside_hierarchy = owner permission change_prevent_group_forking = owner permission set_emails_disabled = owner permission set_show_diff_preview_in_email = owner permission change_new_user_signups_cap = owner permission change_seat_control = owner // Additional permissions permission create_projects = maintainer + owner permission transfer_projects = owner permission import_projects = owner permission admin_namespace = owner permission read_namespace = guest + reporter + developer + maintainer + owner permission admin_namespace_cluster_agent_mapping = owner permission read_namespace_cluster_agent_mapping = guest + reporter + developer + maintainer + owner permission create_subgroup = owner permission list_subgroup_epics = reporter + developer + maintainer + owner permission admin_integrations = owner permission read_group_member = guest + reporter + developer + maintainer + owner permission read_group_metadata = guest + reporter + developer + maintainer + owner permission read_group_activity = guest + reporter + developer + maintainer + owner permission read_group_issues = guest + reporter + developer + maintainer + owner permission read_group_merge_requests = guest + reporter + developer + maintainer + owner permission read_group_milestones = guest + reporter + developer + maintainer + owner permission read_group_boards = guest + reporter + developer + maintainer + owner permission read_group_release_stats = reporter + developer + maintainer + owner permission read_group_credentials_inventory = owner permission admin_group_credentials_inventory = owner permission create_custom_emoji = developer + maintainer + owner permission read_custom_emoji = guest + reporter + developer + maintainer + owner permission delete_custom_emoji = owner permission upload_file = guest + reporter + developer + maintainer + owner permission read_upload = guest + reporter + developer + maintainer + owner permission destroy_upload = maintainer + owner permission admin_upload = owner permission create_group_stage = owner permission read_group_stage = guest + reporter + developer + maintainer + owner permission update_group_stage = owner permission delete_group_stage = owner permission admin_ldap_group_links = owner permission admin_saml_group_links = owner permission admin_group_saml = owner permission read_group_saml_identity = owner permission create_jira_connect_subscription = owner permission read_billable_member = owner permission read_billing = owner permission edit_billing = owner permission start_trial = owner permission admin_licensed_seat = owner permission update_subscription_limit = owner permission read_usage_quotas = owner permission admin_push_rules = owner permission change_push_rules = owner permission change_commit_committer_check = owner permission change_commit_committer_name_check = owner permission change_reject_unsigned_commits = owner permission change_reject_non_dco_commits = owner permission enable_secret_push_protection = owner permission read_saml_user = owner permission read_limit_alert = owner permission read_licenses = owner permission read_dependency = guest + reporter + developer + maintainer + owner permission read_lifecycle = reporter + developer + maintainer + owner permission read_counts = reporter + developer + maintainer + owner permission manage_merge_request_settings = owner permission update_approval_rule = owner permission export_group_memberships = owner permission rollover_issues = owner permission admin_achievement = owner permission read_achievement = guest + reporter + developer + maintainer + owner permission award_achievement = owner permission read_insights = reporter + developer + maintainer + owner permission read_resource_access_tokens = maintainer + owner permission create_resource_access_tokens = owner permission destroy_resource_access_tokens = owner permission manage_resource_access_tokens = owner permission admin_setting_to_allow_resource_access_token_creation = owner permission read_member_role = guest + reporter + developer + maintainer + owner permission admin_member_role = owner permission view_member_roles = guest + reporter + developer + maintainer + owner permission generate_description = developer + maintainer + owner permission read_virtual_registry = guest + reporter + developer + maintainer + owner permission create_virtual_registry = owner permission update_virtual_registry = owner permission destroy_virtual_registry = owner permission create_saved_replies = developer + maintainer + owner permission read_saved_replies = guest + reporter + developer + maintainer + owner permission update_saved_replies = developer + maintainer + owner permission destroy_saved_replies = developer + maintainer + owner permission admin_value_stream = owner permission modify_value_stream_dashboard_settings = owner permission read_internal_note = reporter + developer + maintainer + owner permission read_note = guest + reporter + developer + maintainer + owner permission create_note = guest + reporter + developer + maintainer + owner permission admin_note = maintainer + owner permission mark_note_as_internal = reporter + developer + maintainer + owner permission award_emoji = guest + reporter + developer + maintainer + owner permission admin_web_hook = owner permission read_web_hook = maintainer + owner permission manage_devops_adoption_namespaces = owner permission provision_cloud_runner = owner permission provision_gke_runner = owner permission read_runner_cloud_provisioning_info = owner permission read_runner_gke_provisioning_info = owner permission use_k = developer + maintainer + owner permission view_type_of_work_charts = reporter + developer + maintainer + owner permission view_edit_page = developer + maintainer + owner permission view_globally = guest + reporter + developer + maintainer + owner permission summarize_comments = developer + maintainer + owner permission set_note_created_at = owner permission set_issue_created_at = owner permission set_issue_updated_at = owner permission set_epic_created_at = owner permission set_epic_updated_at = owner permission set_show_default_award_emojis = owner permission set_warn_about_potentially_unwanted_characters = owner permission measure_comment_temperature = developer + maintainer + owner permission read_product_analytics = reporter + developer + maintainer + owner permission modify_product_analytics_settings = owner permission read_harbor_registry = reporter + developer + maintainer + owner permission read_cluster = reporter + developer + maintainer + owner permission admin_cluster = owner permission create_cluster = owner permission update_cluster = owner permission add_cluster = owner permission read_cluster_agent = reporter + developer + maintainer + owner permission read_cluster_environments = reporter + developer + maintainer + owner permission read_prometheus = reporter + developer + maintainer + owner permission read_grafana = reporter + developer + maintainer + owner permission admin_protected_environments = owner permission export_work_items = reporter + developer + maintainer + owner permission import_work_items = developer + maintainer + owner permission admin_work_item = reporter + developer + maintainer + owner permission read_work_item = guest + reporter + developer + maintainer + owner permission create_work_item = guest + reporter + developer + maintainer + owner permission update_work_item = reporter + developer + maintainer + owner permission admin_issue = reporter + developer + maintainer + owner permission read_issue = guest + reporter + developer + maintainer + owner permission create_issue = guest + reporter + developer + maintainer + owner permission update_issue = reporter + developer + maintainer + owner permission destroy_issue = owner permission reopen_issue = reporter + developer + maintainer + owner permission create_task = guest + reporter + developer + maintainer + owner permission create_key_result = developer + maintainer + owner permission create_objective = developer + maintainer + owner permission set_issue_metadata = reporter + developer + maintainer + owner permission set_work_item_metadata = reporter + developer + maintainer + owner permission clone_issue = reporter + developer + maintainer + owner permission clone_work_item = reporter + developer + maintainer + owner permission move_issue = reporter + developer + maintainer + owner permission move_work_item = reporter + developer + maintainer + owner permission admin_merge_request = developer + maintainer + owner permission update_merge_request = developer + maintainer + owner permission create_epic_tree_relation = developer + maintainer + owner permission admin_epic_relation = developer + maintainer + owner permission admin_epic_link_relation = developer + maintainer + owner permission admin_epic_tree_relation = developer + maintainer + owner permission bulk_admin_epic = owner permission read_epic_iid = guest + reporter + developer + maintainer + owner permission read_epic_relation = guest + reporter + developer + maintainer + owner permission read_epic_link_relation = guest + reporter + developer + maintainer + owner permission set_epic_metadata = reporter + developer + maintainer + owner permission set_confidentiality = reporter + developer + maintainer + owner permission create_timelog = reporter + developer + maintainer + owner permission admin_timelog = owner permission read_timelog_category = guest + reporter + developer + maintainer + owner permission read_issuable = guest + reporter + developer + maintainer + owner permission read_issuable_participables = guest + reporter + developer + maintainer + owner permission create_todo = guest + reporter + developer + maintainer + owner permission update_todo = guest + reporter + developer + maintainer + owner permission read_todo = guest + reporter + developer + maintainer + owner permission update_subscription = guest + reporter + developer + maintainer + owner permission reopen_merge_request = developer + maintainer + owner permission resolve_note = developer + maintainer + owner permission reposition_note = developer + maintainer + owner permission request_access = guest permission withdraw_member_access_request = guest + reporter + developer + maintainer + owner permission read_shared_with_group = guest + reporter + developer + maintainer + owner permission update_default_branch_protection = owner permission update_git_access_protocol = owner permission update_max_artifacts_size = owner permission read_statistics = reporter + developer + maintainer + owner permission read_cycle_analytics = reporter + developer + maintainer + owner permission read_design_activity = reporter + developer + maintainer + owner permission read_namespace_via_membership = guest + reporter + developer + maintainer + owner permission read_nested_project_resources = guest + reporter + developer + maintainer + owner permission read_namespace_catalog = guest + reporter + developer + maintainer + owner permission read_dora = reporter + developer + maintainer + owner permission read_enterprise_ai_analytics = reporter + developer + maintainer + owner permission read_pro_ai_analytics = reporter + developer + maintainer + owner permission read_security_inventory = developer + maintainer + owner permission read_security_configuration = developer + maintainer + owner permission read_security_orchestration_policies = developer + maintainer + owner permission read_security_orchestration_policy_project = developer + maintainer + owner permission update_security_orchestration_policy_project = owner permission modify_security_policy = owner permission admin_security_testing = owner permission enable_continuous_vulnerability_scans = owner permission configure_secret_detection_validity_checks = owner permission read_secret_detection_validity_checks_status = developer + maintainer + owner permission read_secret_push_protection_info = developer + maintainer + owner permission admin_merge_request_approval_settings = owner permission modify_approvers_rules = owner permission modify_merge_request_author_setting = owner permission modify_merge_request_committer_setting = owner permission edit_group_approval_rule = owner permission read_group_approval_rule = reporter + developer + maintainer + owner permission create_vulnerability_export = developer + maintainer + owner permission read_vulnerability_export = developer + maintainer + owner permission read_vulnerability_statistics = reporter + developer + maintainer + owner permission read_jobs_statistics = reporter + developer + maintainer + owner permission read_runner_usage = owner permission read_runners_registration_token = owner permission update_runners_registration_token = owner permission read_package_within_public_registries = guest + reporter + developer + maintainer + owner permission read_code = guest + reporter + developer + maintainer + owner permission read_resource_state_event = guest + reporter + developer + maintainer + owner permission read_resource_weight_event = guest + reporter + developer + maintainer + owner permission read_resource_iteration_event = guest + reporter + developer + maintainer + owner permission read_resource_milestone_event = guest + reporter + developer + maintainer + owner permission read_resource_label_event = guest + reporter + developer + maintainer + owner permission admin_group_model_selection = owner permission read_event = guest + reporter + developer + maintainer + owner permission use_quick_actions = guest + reporter + developer + maintainer + owner permission use_slash_commands = guest + reporter + developer + maintainer + owner permission receive_notifications = guest + reporter + developer + maintainer + owner } definition project { relation ci_job_token: ci_job relation deploy_token: deploy_token relation developer: user relation group: group relation guest: user relation internal_access: user relation maintainer: user relation namespace: user relation owner: user relation planner: user relation project_bot: user relation public_access: user:* relation reporter: user // Core access permissions permission read_project = guest + reporter + developer + maintainer + owner + group->read + namespace->read + public_access + internal_access permission guest_access = guest + reporter + developer + maintainer + owner permission reporter_access = reporter + developer + maintainer + owner permission developer_access = developer + maintainer + owner permission maintainer_access = maintainer + owner permission owner_access = owner permission planner_access = planner + reporter + developer + maintainer + owner permission public_access = public_access permission public_user_access = public_access + internal_access permission project_bot_access = project_bot permission build_read_project = ci_job_token permission read_project_for_iids = guest + reporter + developer + maintainer + owner + group->read // Administrative permissions permission admin_project = owner + group->admin_group permission archive_project = owner permission remove_project = owner + group->admin_group permission change_visibility_level = owner + group->admin_group permission change_namespace = owner permission rename_project = maintainer + owner permission set_emails_disabled = owner permission set_show_diff_preview_in_email = owner permission set_show_default_award_emojis = owner permission set_warn_about_potentially_unwanted_characters = owner permission manage_owners = owner // Code and repository permissions permission read_code = guest + reporter + developer + maintainer + owner + ci_job_token + deploy_token + group->read permission download_code = guest + reporter + developer + maintainer + owner + ci_job_token + deploy_token permission build_download_code = guest + ci_job_token permission download_code_spp_repository = developer + maintainer + owner permission push_code = developer + maintainer + owner permission build_push_code = ci_job_token permission push_code_to_protected_branches = maintainer + owner permission push_to_delete_protected_branch = maintainer + owner permission fork_project = reporter + developer + maintainer + owner permission link_forked_project = developer + maintainer + owner permission remove_fork_project = owner // Wiki permissions permission create_wiki = developer + maintainer + owner permission admin_wiki = maintainer + owner permission read_wiki = guest + reporter + developer + maintainer + owner permission read_wiki_page = guest + reporter + developer + maintainer + owner permission download_wiki_code = reporter + developer + maintainer + owner // Snippet permissions permission create_snippet = developer + maintainer + owner permission admin_snippet = maintainer + owner permission read_snippet = guest + reporter + developer + maintainer + owner permission update_snippet = maintainer + owner // Milestone permissions permission admin_milestone = reporter + developer + maintainer + owner permission read_milestone = guest + reporter + developer + maintainer + owner permission read_resource_milestone_event = guest + reporter + developer + maintainer + owner // Label permissions permission admin_label = reporter + developer + maintainer + owner permission read_label = guest + reporter + developer + maintainer + owner permission read_resource_label_event = guest + reporter + developer + maintainer + owner // Branch and tag permissions permission admin_tag = maintainer + owner permission delete_tag = maintainer + owner permission create_branch_rule = maintainer + owner permission read_branch_rule = guest + reporter + developer + maintainer + owner permission update_branch_rule = maintainer + owner permission destroy_branch_rule = owner permission admin_protected_branch = maintainer + owner permission create_protected_branch = maintainer + owner permission read_protected_branch = guest + reporter + developer + maintainer + owner permission update_protected_branch = maintainer + owner permission destroy_protected_branch = owner permission create_protected_tags = maintainer + owner permission read_protected_tags = guest + reporter + developer + maintainer + owner permission update_protected_tags = maintainer + owner permission destroy_protected_tags = owner permission manage_protected_tags = maintainer + owner permission admin_target_branch_rule = owner permission read_target_branch_rule = guest + reporter + developer + maintainer + owner permission update_squash_option = developer + maintainer + owner permission create_squash_option = developer + maintainer + owner permission read_squash_option = guest + reporter + developer + maintainer + owner permission destroy_squash_option = owner // CI/CD permissions permission read_build = reporter + developer + maintainer + owner + ci_job_token permission create_build = developer + maintainer + owner permission update_build = developer + maintainer + owner permission cancel_build = developer + maintainer + owner permission erase_build = maintainer + owner permission play_job = developer + maintainer + owner permission read_job_artifacts = reporter + developer + maintainer + owner + ci_job_token permission destroy_artifacts = maintainer + owner permission admin_build = maintainer + owner permission create_pipeline = developer + maintainer + owner + ci_job_token permission create_bot_pipeline = developer + maintainer + owner permission read_pipeline = guest + reporter + developer + maintainer + owner permission update_pipeline = developer + maintainer + owner permission cancel_pipeline = developer + maintainer + owner permission destroy_pipeline = owner permission admin_pipeline = maintainer + owner permission read_pipeline_variable = developer + maintainer + owner permission set_pipeline_variables = developer + maintainer + owner permission read_pipeline_metadata = reporter + developer + maintainer + owner permission admin_cicd_variables = maintainer + owner + group->admin_cicd_variables permission change_restrict_user_defined_variables = owner // Pipeline schedule permissions permission create_pipeline_schedule = developer + maintainer + owner permission read_pipeline_schedule = reporter + developer + maintainer + owner permission update_pipeline_schedule = developer + maintainer + owner permission admin_pipeline_schedule = maintainer + owner permission play_pipeline_schedule = developer + maintainer + owner permission take_ownership_pipeline_schedule = developer + maintainer + owner permission read_pipeline_schedule_variables = developer + maintainer + owner permission read_ci_pipeline_schedules_plan_limit = reporter + developer + maintainer + owner // Commit status permissions permission create_commit_status = developer + maintainer + owner permission read_commit_status = reporter + developer + maintainer + owner permission update_commit_status = developer + maintainer + owner permission admin_commit_status = maintainer + owner // Issue permissions permission create_issue = guest + reporter + developer + maintainer + owner permission read_issue = guest + reporter + developer + maintainer + owner permission update_issue = reporter + developer + maintainer + owner permission admin_issue = reporter + developer + maintainer + owner permission destroy_issue = owner permission reopen_issue = reporter + developer + maintainer + owner permission set_issue_iid = owner permission set_issue_created_at = owner permission set_issue_updated_at = owner permission set_issue_metadata = reporter + developer + maintainer + owner permission set_issue_crm_contacts = reporter + developer + maintainer + owner permission set_confidentiality = reporter + developer + maintainer + owner permission read_issue_iid = guest + reporter + developer + maintainer + owner permission create_incident = reporter + developer + maintainer + owner permission import_issues = developer + maintainer + owner permission export_work_items = reporter + developer + maintainer + owner permission import_work_items = developer + maintainer + owner permission clone_issue = reporter + developer + maintainer + owner permission move_issue = reporter + developer + maintainer + owner permission promote_to_epic = reporter + developer + maintainer + owner permission read_confidential_issues = reporter + developer + maintainer + owner permission mark_issue_for_publication = maintainer + owner // Work item permissions permission create_work_item = guest + reporter + developer + maintainer + owner permission read_work_item = guest + reporter + developer + maintainer + owner permission update_work_item = reporter + developer + maintainer + owner permission admin_work_item = reporter + developer + maintainer + owner permission delete_work_item = owner permission clone_work_item = reporter + developer + maintainer + owner permission move_work_item = reporter + developer + maintainer + owner permission set_work_item_metadata = reporter + developer + maintainer + owner permission admin_work_item_link = maintainer + owner permission admin_parent_link = maintainer + owner permission read_work_item_type = guest + reporter + developer + maintainer + owner permission read_work_item_status = guest + reporter + developer + maintainer + owner permission create_task = guest + reporter + developer + maintainer + owner permission create_key_result = developer + maintainer + owner permission create_objective = developer + maintainer + owner // Issue board permissions permission admin_issue_board = reporter + developer + maintainer + owner permission read_issue_board = guest + reporter + developer + maintainer + owner permission admin_issue_board_list = reporter + developer + maintainer + owner permission read_issue_board_list = guest + reporter + developer + maintainer + owner permission create_non_backlog_issues = reporter + developer + maintainer + owner // Issue link permissions permission admin_issue_link = reporter + developer + maintainer + owner permission read_issue_link = guest + reporter + developer + maintainer + owner permission admin_issue_relation = reporter + developer + maintainer + owner permission create_external_issue_link = developer + maintainer + owner // Merge request permissions permission create_merge_request_from = developer + maintainer + owner permission create_merge_request_in = developer + maintainer + owner permission read_merge_request = guest + reporter + developer + maintainer + owner permission update_merge_request = developer + maintainer + owner permission admin_merge_request = developer + maintainer + owner permission accept_merge_request = maintainer + owner permission approve_merge_request = developer + maintainer + owner permission destroy_merge_request = owner permission reopen_merge_request = developer + maintainer + owner permission read_merge_request_iid = guest + reporter + developer + maintainer + owner permission set_merge_request_metadata = developer + maintainer + owner permission create_merge_request_approval_rules = maintainer + owner permission update_approvers = maintainer + owner permission admin_merge_request_approval_settings = owner permission reset_merge_request_approvals = maintainer + owner permission modify_approvers_rules = owner permission modify_merge_request_author_setting = owner permission modify_merge_request_committer_setting = owner permission manage_merge_request_settings = owner permission read_approval_rule = reporter + developer + maintainer + owner permission update_approval_rule = maintainer + owner permission edit_approval_rule = maintainer + owner permission read_approvers = reporter + developer + maintainer + owner permission read_merge_request_closing_issue = guest + reporter + developer + maintainer + owner permission read_merge_train = reporter + developer + maintainer + owner permission read_merge_train_car = reporter + developer + maintainer + owner permission delete_merge_train_car = maintainer + owner // Design permissions permission create_design = reporter + developer + maintainer + owner permission read_design = guest + reporter + developer + maintainer + owner permission update_design = developer + maintainer + owner permission destroy_design = developer + maintainer + owner permission move_design = developer + maintainer + owner permission read_design_activity = guest + reporter + developer + maintainer + owner // Container and package permissions permission read_container_image = reporter + developer + maintainer + owner + ci_job_token permission create_container_image = developer + maintainer + owner permission update_container_image = developer + maintainer + owner permission admin_container_image = maintainer + owner permission destroy_container_image = maintainer + owner permission destroy_container_image_tag = maintainer + owner permission build_read_container_image = guest + ci_job_token permission create_container_registry_protection_immutable_tag_rule = owner permission destroy_container_registry_protection_tag_rule = developer + maintainer + owner permission enable_container_scanning_for_registry = owner permission read_package = reporter + developer + maintainer + owner permission create_package = developer + maintainer + owner permission destroy_package = maintainer + owner permission admin_package = maintainer + owner permission read_package_within_public_registries = guest + reporter + developer + maintainer + owner permission view_package_registry_project_settings = reporter + developer + maintainer + owner // Deploy token permissions permission create_deploy_token = maintainer + owner permission read_deploy_token = maintainer + owner permission destroy_deploy_token = maintainer + owner permission update_deploy_token = maintainer + owner permission manage_deploy_tokens = maintainer + owner // Environment and deployment permissions permission create_environment = developer + maintainer + owner permission read_environment = reporter + developer + maintainer + owner permission update_environment = developer + maintainer + owner permission admin_environment = maintainer + owner permission destroy_environment = developer + maintainer + owner permission stop_environment = developer + maintainer + owner permission create_environment_terminal = maintainer + owner permission create_deployment = developer + maintainer + owner permission read_deployment = reporter + developer + maintainer + owner permission update_deployment = developer + maintainer + owner permission admin_deployment = maintainer + owner permission destroy_deployment = maintainer + owner permission approve_deployment = maintainer + owner permission admin_protected_environments = owner permission read_freeze_period = reporter + developer + maintainer + owner permission create_freeze_period = maintainer + owner permission update_freeze_period = maintainer + owner permission destroy_freeze_period = maintainer + owner // Feature flag permissions permission create_feature_flag = developer + maintainer + owner permission read_feature_flag = reporter + developer + maintainer + owner permission update_feature_flag = developer + maintainer + owner permission admin_feature_flag = maintainer + owner permission destroy_feature_flag = developer + maintainer + owner permission admin_feature_flags_client = maintainer + owner permission admin_feature_flags_user_lists = maintainer + owner permission admin_feature_flags_issue_links = maintainer + owner // Security and vulnerability permissions permission read_vulnerability = reporter + developer + maintainer + owner permission admin_vulnerability = developer + maintainer + owner + group->admin_vulnerability permission create_vulnerability_feedback = developer + maintainer + owner permission read_vulnerability_feedback = reporter + developer + maintainer + owner permission update_vulnerability_feedback = developer + maintainer + owner permission destroy_vulnerability_feedback = developer + maintainer + owner permission read_vulnerability_scanner = reporter + developer + maintainer + owner permission read_vulnerability_merge_request_link = reporter + developer + maintainer + owner permission admin_vulnerability_merge_request_link = developer + maintainer + owner permission admin_vulnerability_issue_link = developer + maintainer + owner permission admin_vulnerability_external_issue_link = developer + maintainer + owner permission create_vulnerability_export = developer + maintainer + owner permission read_vulnerability_export = developer + maintainer + owner permission create_vulnerability_archive_export = developer + maintainer + owner permission read_vulnerability_archive_export = developer + maintainer + owner permission create_vulnerability_state_transition = developer + maintainer + owner permission read_vulnerability_representation_information = reporter + developer + maintainer + owner permission resolve_vulnerability_with_ai = developer + maintainer + owner permission read_vulnerability_statistics = reporter + developer + maintainer + owner // Security scanning permissions permission access_security_and_compliance = developer + maintainer + owner permission access_security_scans_api = developer + maintainer + owner permission read_security_dashboard = reporter + developer + maintainer + owner permission read_project_security_dashboard = reporter + developer + maintainer + owner permission add_project_to_instance_security_dashboard = owner permission read_instance_security_dashboard = owner permission read_security_configuration = developer + maintainer + owner permission read_security_orchestration_policies = developer + maintainer + owner permission read_security_orchestration_policy_project = developer + maintainer + owner permission update_security_orchestration_policy_project = owner permission modify_security_policy = owner permission admin_security_testing = owner permission manage_security_settings = owner permission read_security_settings = reporter + developer + maintainer + owner permission read_security_inventory = developer + maintainer + owner permission read_security_resource = developer + maintainer + owner permission read_project_security_exclusions = developer + maintainer + owner permission manage_project_security_exclusions = owner permission enable_continuous_vulnerability_scans = owner permission configure_secret_detection_validity_checks = owner permission read_secret_detection_validity_checks_status = developer + maintainer + owner permission read_secret_push_protection_info = developer + maintainer + owner permission enable_secret_push_protection = owner permission read_coverage_fuzzing = developer + maintainer + owner permission create_coverage_fuzzing_corpus = developer + maintainer + owner // Release permissions permission create_release = developer + maintainer + owner permission read_release = guest + reporter + developer + maintainer + owner permission update_release = developer + maintainer + owner permission destroy_release = maintainer + owner permission read_release_evidence = guest + reporter + developer + maintainer + owner // Runner permissions permission admin_runner = owner + group->admin_runner permission read_runner = reporter + developer + maintainer + owner permission update_runner = owner permission delete_runner = owner permission assign_runner = maintainer + owner permission create_runner = maintainer + owner permission register_project_runners = maintainer + owner permission admin_project_runners = maintainer + owner permission read_project_runners = reporter + developer + maintainer + owner permission read_runners_registration_token = maintainer + owner permission update_runners_registration_token = maintainer + owner permission read_runner_usage = owner permission read_runner_cloud_provisioning_info = owner permission read_runner_gke_provisioning_info = owner permission provision_cloud_runner = owner permission provision_gke_runner = owner // Pages permissions permission admin_pages = maintainer + owner permission read_pages = maintainer + owner permission update_pages = maintainer + owner permission remove_pages = maintainer + owner permission read_pages_content = guest + reporter + developer + maintainer + owner permission read_pages_deployments = reporter + developer + maintainer + owner permission update_pages_deployments = maintainer + owner permission pages_multiple_versions = maintainer + owner // Terraform state permissions permission read_terraform_state = developer + maintainer + owner permission admin_terraform_state = maintainer + owner // Analytics permissions permission read_analytics = reporter + developer + maintainer + owner permission read_insights = reporter + developer + maintainer + owner permission read_ci_cd_analytics = reporter + developer + maintainer + owner permission read_code_review_analytics = reporter + developer + maintainer + owner permission read_issue_analytics = reporter + developer + maintainer + owner permission read_project_merge_request_analytics = reporter + developer + maintainer + owner permission read_combined_project_analytics_dashboards = reporter + developer + maintainer + owner permission read_project_level_value_stream_dashboard_overview_counts = reporter + developer + maintainer + owner permission view_productivity_analytics = reporter + developer + maintainer + owner permission read_cycle_analytics = reporter + developer + maintainer + owner permission read_repository_graphs = reporter + developer + maintainer + owner permission read_statistics = reporter + developer + maintainer + owner permission daily_statistics = reporter + developer + maintainer + owner permission read_build_report_results = reporter + developer + maintainer + owner permission use_project_statistics_filters = reporter + developer + maintainer + owner permission admin_value_stream = owner // AI/Duo permissions permission access_duo_features = developer + maintainer + owner + group->access_duo_features permission access_duo_chat = developer + maintainer + owner permission access_ai_review_mr = developer + maintainer + owner permission access_duo_agentic_chat = developer + maintainer + owner permission access_duo_core_features = developer + maintainer + owner permission access_description_composer = developer + maintainer + owner permission access_summarize_new_merge_request = developer + maintainer + owner permission access_summarize_review = developer + maintainer + owner permission access_generate_commit_message = developer + maintainer + owner permission duo_workflow = developer + maintainer + owner permission trigger_amazon_q = developer + maintainer + owner permission generate_description = developer + maintainer + owner permission generate_cube_query = developer + maintainer + owner permission read_ai_agents = reporter + developer + maintainer + owner permission write_ai_agents = developer + maintainer + owner // Model registry permissions (ML) permission read_model_experiments = reporter + developer + maintainer + owner permission write_model_experiments = developer + maintainer + owner permission read_model_registry = reporter + developer + maintainer + owner permission write_model_registry = developer + maintainer + owner // Observability permissions permission read_observability = reporter + developer + maintainer + owner permission write_observability = developer + maintainer + owner // Compliance permissions permission admin_compliance_framework = owner + group->admin_compliance_framework permission read_compliance_framework = reporter + developer + maintainer + owner permission read_compliance_dashboard = reporter + developer + maintainer + owner permission read_compliance_adherence_report = developer + maintainer + owner permission read_compliance_violations_report = developer + maintainer + owner permission read_project_audit_events = owner // Member and access permissions permission admin_project_member = maintainer + owner permission read_project_member = guest + reporter + developer + maintainer + owner permission update_project_member = maintainer + owner permission destroy_project_member = owner permission destroy_project_bot_member = owner permission invite_member = maintainer + owner permission invite_project_members = maintainer + owner permission import_project_members_from_another_project = maintainer + owner permission admin_member_access_request = maintainer + owner permission read_member_access_request = guest + reporter + developer + maintainer + owner permission withdraw_member_access_request = guest + reporter + developer + maintainer + owner permission override_group_member = owner permission destroy_group_member = owner permission destroy_project_group_link = owner permission manage_group_link_with_owner_access = owner permission read_shared_with_group = guest + reporter + developer + maintainer + owner // Note and comment permissions permission create_note = guest + reporter + developer + maintainer + owner permission read_note = guest + reporter + developer + maintainer + owner permission update_note = guest + reporter + developer + maintainer + owner permission admin_note = maintainer + owner permission resolve_note = developer + maintainer + owner permission reposition_note = developer + maintainer + owner permission mark_note_as_internal = reporter + developer + maintainer + owner permission set_note_created_at = owner permission read_internal_note = reporter + developer + maintainer + owner permission award_emoji = guest + reporter + developer + maintainer + owner permission summarize_comments = developer + maintainer + owner permission measure_comment_temperature = developer + maintainer + owner // Webhook permissions permission admin_web_hook = owner permission read_web_hook = maintainer + owner // Upload permissions permission upload_file = guest + reporter + developer + maintainer + owner permission read_upload = guest + reporter + developer + maintainer + owner permission destroy_upload = maintainer + owner permission admin_upload = owner // Project settings permissions permission admin_project_aws = owner permission admin_project_google_cloud = owner permission admin_project_secrets_manager = owner permission admin_google_cloud_artifact_registry = owner permission read_google_cloud_artifact_registry = reporter + developer + maintainer + owner permission update_max_artifacts_size = owner permission set_pipeline_variables = developer + maintainer + owner permission change_commit_committer_check = owner permission change_commit_committer_name_check = owner permission read_commit_committer_check = reporter + developer + maintainer + owner permission read_commit_committer_name_check = reporter + developer + maintainer + owner permission change_push_rules = owner permission admin_push_rules = owner permission change_reject_unsigned_commits = owner permission change_reject_non_dco_commits = owner permission read_reject_unsigned_commits = reporter + developer + maintainer + owner permission read_reject_non_dco_commits = reporter + developer + maintainer + owner // Integration permissions permission admin_integrations = maintainer + owner permission create_jira_connect_subscription = owner permission admin_operations = maintainer + owner permission admin_sentry = maintainer + owner permission read_sentry_issue = reporter + developer + maintainer + owner permission update_sentry_issue = developer + maintainer + owner // Misc permissions permission add_catalog_resource = owner permission publish_catalog_version = developer + maintainer + owner permission read_namespace_catalog = guest + reporter + developer + maintainer + owner permission create_project = developer + maintainer + owner permission request_access = guest permission read_project_metadata = guest + reporter + developer + maintainer + owner permission view_edit_page = developer + maintainer + owner permission metrics_dashboard = reporter + developer + maintainer + owner permission read_operations_dashboard = owner permission use_k = developer + maintainer + owner permission use_quick_actions = guest + reporter + developer + maintainer + owner permission use_slash_commands = guest + reporter + developer + maintainer + owner permission create_timelog = reporter + developer + maintainer + owner permission admin_timelog = owner permission read_timelog_category = guest + reporter + developer + maintainer + owner permission create_todo = guest + reporter + developer + maintainer + owner permission update_todo = guest + reporter + developer + maintainer + owner permission read_todo = guest + reporter + developer + maintainer + owner permission update_subscription = guest + reporter + developer + maintainer + owner permission delete_project_subscription = owner permission report_spam = guest + reporter + developer + maintainer + owner permission read_issuable = guest + reporter + developer + maintainer + owner permission read_issuable_participables = guest + reporter + developer + maintainer + owner permission read_issuable_resource_link = guest + reporter + developer + maintainer + owner permission admin_issuable_resource_link = developer + maintainer + owner permission read_issuable_metric_image = reporter + developer + maintainer + owner permission update_issuable_metric_image = developer + maintainer + owner permission upload_issuable_metric_image = developer + maintainer + owner permission destroy_issuable_metric_image = developer + maintainer + owner permission read_incident_management_timeline_event = reporter + developer + maintainer + owner permission admin_incident_management_timeline_event = developer + maintainer + owner permission edit_incident_management_timeline_event = developer + maintainer + owner permission read_incident_management_timeline_event_tag = reporter + developer + maintainer + owner permission admin_incident_management_timeline_event_tag = maintainer + owner permission read_incident_management_escalation_policy = reporter + developer + maintainer + owner permission admin_incident_management_escalation_policy = maintainer + owner permission read_incident_management_oncall_schedule = reporter + developer + maintainer + owner permission admin_incident_management_oncall_schedule = maintainer + owner permission update_escalation_status = developer + maintainer + owner permission read_alert_management_alert = reporter + developer + maintainer + owner permission update_alert_management_alert = developer + maintainer + owner permission read_alert_management_metric_image = reporter + developer + maintainer + owner permission update_alert_management_metric_image = developer + maintainer + owner permission upload_alert_management_metric_image = developer + maintainer + owner permission destroy_alert_management_metric_image = developer + maintainer + owner permission publish_status_page = developer + maintainer + owner permission rollover_issues = owner // Resource access token permissions permission read_resource_access_tokens = maintainer + owner permission create_resource_access_tokens = owner permission destroy_resource_access_tokens = owner permission manage_resource_access_tokens = owner permission admin_setting_to_allow_resource_access_token_creation = owner // Path lock permissions permission create_path_lock = developer + maintainer + owner permission read_path_locks = guest + reporter + developer + maintainer + owner permission admin_path_locks = maintainer + owner permission destroy_path_lock = developer + maintainer + owner // On-demand DAST scan permissions permission create_on_demand_dast_scan = developer + maintainer + owner permission read_on_demand_dast_scan = developer + maintainer + owner permission edit_on_demand_dast_scan = developer + maintainer + owner // Requirement permissions permission create_requirement = reporter + developer + maintainer + owner permission read_requirement = reporter + developer + maintainer + owner permission update_requirement = reporter + developer + maintainer + owner permission admin_requirement = maintainer + owner permission destroy_requirement = maintainer + owner permission import_requirements = developer + maintainer + owner permission export_requirements = reporter + developer + maintainer + owner permission create_requirement_test_report = reporter + developer + maintainer + owner // Test case permissions permission create_test_case = reporter + developer + maintainer + owner // Secure file permissions permission read_secure_files = developer + maintainer + owner permission admin_secure_files = maintainer + owner // License policy permissions permission read_software_license_policy = reporter + developer + maintainer + owner permission admin_software_license_policy = maintainer + owner // Mirror permissions permission admin_mirror = owner permission admin_remote_mirror = owner // Trigger permissions permission admin_trigger = owner permission manage_trigger = owner // Cluster permissions permission read_cluster = reporter + developer + maintainer + owner permission add_cluster = maintainer + owner permission create_cluster = maintainer + owner permission update_cluster = maintainer + owner permission admin_cluster = owner permission read_cluster_agent = reporter + developer + maintainer + owner permission read_cluster_environments = reporter + developer + maintainer + owner // Prometheus and monitoring permissions permission read_prometheus = reporter + developer + maintainer + owner permission read_grafana = reporter + developer + maintainer + owner permission read_pod_logs = developer + maintainer + owner // Harbor registry permissions permission read_harbor_registry = reporter + developer + maintainer + owner // Build service proxy permissions permission build_service_proxy_enabled = developer + maintainer + owner permission create_build_service_proxy = developer + maintainer + owner // Web IDE permissions permission create_web_ide_terminal = developer + maintainer + owner permission read_web_ide_terminal = developer + maintainer + owner permission update_web_ide_terminal = developer + maintainer + owner // Resource group permissions permission read_resource_group = reporter + developer + maintainer + owner permission update_resource_group = developer + maintainer + owner // Deploy board permissions permission read_deploy_board = reporter + developer + maintainer + owner // External email permissions permission read_external_emails = reporter + developer + maintainer + owner // Import/Export permissions permission read_import_error = owner permission export_work_items = reporter + developer + maintainer + owner permission import_work_items = developer + maintainer + owner // Saved replies permissions permission create_saved_replies = developer + maintainer + owner permission read_saved_replies = guest + reporter + developer + maintainer + owner permission update_saved_replies = developer + maintainer + owner permission destroy_saved_replies = developer + maintainer + owner // Other permissions permission cache_blob = guest + reporter + developer + maintainer + owner permission read_blob = guest + reporter + developer + maintainer + owner permission read_commit = guest + reporter + developer + maintainer + owner permission read_build_trace = developer + maintainer + owner permission read_build_metadata = developer + maintainer + owner permission jailbreak = owner permission build_read_container_image = guest + ci_job_token permission apply_suggestion = developer + maintainer + owner permission read_project_subscription = guest + reporter + developer + maintainer + owner permission read_storage_disk_path = owner permission read_dora = reporter + developer + maintainer + owner permission read_product_analytics = reporter + developer + maintainer + owner permission modify_product_analytics_settings = owner permission read_counts = reporter + developer + maintainer + owner permission read_dependency = guest + reporter + developer + maintainer + owner permission read_lifecycle = reporter + developer + maintainer + owner permission read_usage_quotas = owner permission read_limit_alert = owner permission read_licenses = owner permission read_scan = developer + maintainer + owner permission read_event = guest + reporter + developer + maintainer + owner permission read_parent = guest + reporter + developer + maintainer + owner permission read_namespace = guest + reporter + developer + maintainer + owner permission read_namespace_via_membership = guest + reporter + developer + maintainer + owner permission read_nested_project_resources = guest + reporter + developer + maintainer + owner permission view_globally = guest + reporter + developer + maintainer + owner permission receive_notifications = guest + reporter + developer + maintainer + owner permission read_enterprise_ai_analytics = reporter + developer + maintainer + owner permission read_pro_ai_analytics = reporter + developer + maintainer + owner permission read_component = guest + reporter + developer + maintainer + owner permission read_component_version = guest + reporter + developer + maintainer + owner permission read_application_setting = owner permission read_resource_state_event = guest + reporter + developer + maintainer + owner permission read_resource_weight_event = guest + reporter + developer + maintainer + owner permission read_resource_iteration_event = guest + reporter + developer + maintainer + owner permission read_resource_milestone_event = guest + reporter + developer + maintainer + owner permission read_resource_label_event = guest + reporter + developer + maintainer + owner permission read_deploy_key = maintainer + owner permission update_deploy_key = maintainer + owner permission update_deploy_key_title = maintainer + owner permission update_deploy_keys_project = maintainer + owner permission read_custom_emoji = guest + reporter + developer + maintainer + owner permission create_custom_emoji = developer + maintainer + owner permission delete_custom_emoji = owner permission read_external_status_check = reporter + developer + maintainer + owner permission read_external_status_check_response = developer + maintainer + owner permission provide_status_check_response = developer + maintainer + owner permission retry_failed_status_checks = developer + maintainer + owner permission read_jobs_statistics = reporter + developer + maintainer + owner permission read_finding_token_status = developer + maintainer + owner permission read_ci_minutes_limited_summary = reporter + developer + maintainer + owner permission admin_ci_minutes = owner permission create_build_terminal = developer + maintainer + owner permission read_builds = reporter + developer + maintainer + owner permission read_user_achievement = guest + reporter + developer + maintainer + owner permission destroy_user_achievement = owner permission read_abuse_report = owner permission read_emoji = guest + reporter + developer + maintainer + owner permission read_dependency_list_export = developer + maintainer + owner permission create_workspace = developer + maintainer + owner permission read_workspace = developer + maintainer + owner permission update_workspace = developer + maintainer + owner permission read_workspace_variable = developer + maintainer + owner permission read_workspaces_agent_config = developer + maintainer + owner permission access_workspaces_feature = developer + maintainer + owner permission modify_value_stream_dashboard_settings = owner permission read_achievement = guest + reporter + developer + maintainer + owner permission award_achievement = owner permission admin_achievement = owner permission read_all_workspaces = owner permission read_crm_contact = reporter + developer + maintainer + owner permission read_crm_contacts = reporter + developer + maintainer + owner permission set_issue_crm_contacts = reporter + developer + maintainer + owner permission admin_crm_contact = reporter + developer + maintainer + owner permission read_crm_organization = reporter + developer + maintainer + owner permission admin_crm_organization = reporter + developer + maintainer + owner permission read_custom_field = guest + reporter + developer + maintainer + owner permission admin_custom_field = owner permission read_confidential_epic = reporter + developer + maintainer + owner permission read_epic_iid = guest + reporter + developer + maintainer + owner permission read_epic_relation = guest + reporter + developer + maintainer + owner permission read_epic_link_relation = guest + reporter + developer + maintainer + owner permission admin_epic_relation = developer + maintainer + owner permission admin_epic_link_relation = developer + maintainer + owner permission admin_epic_tree_relation = developer + maintainer + owner permission read_duo_workflow_event = developer + maintainer + owner permission read_geo_node = owner permission read_geo_registry = owner permission read_all_geo = owner permission read_virtual_registry = guest + reporter + developer + maintainer + owner permission read_application_statistics = owner permission read_instance_metadata = owner permission read_cloud_connector_status = owner permission read_usage_trends_measurement = owner permission read_billable_member = owner permission read_billing = owner permission edit_billing = owner permission start_trial = owner permission read_licensed_seat = owner permission admin_licensed_seat = owner permission read_member_role = guest + reporter + developer + maintainer + owner permission admin_member_role = owner permission view_member_roles = guest + reporter + developer + maintainer + owner permission link = guest + reporter + developer + maintainer + owner permission unlink = guest + reporter + developer + maintainer + owner permission sign_in_with_saml_provider = guest + reporter + developer + maintainer + owner permission read_saml_user = owner permission read_group_saml_identity = owner permission log_in = guest + reporter + developer + maintainer + owner permission accept_terms = guest + reporter + developer + maintainer + owner permission decline_terms = guest + reporter + developer + maintainer + owner permission access_admin_area = owner permission access_api = guest + reporter + developer + maintainer + owner permission access_git = guest + reporter + developer + maintainer + owner permission access_x_ray_on_instance = owner permission access_advanced_vulnerability_management = developer + maintainer + owner permission access_code_suggestions = developer + maintainer + owner permission access_glab_ask_git_command = developer + maintainer + owner permission execute_graphql_mutation = guest + reporter + developer + maintainer + owner permission receive_notifications = guest + reporter + developer + maintainer + owner permission approve_user = owner permission reject_user = owner permission block_pipl_user = owner permission delete_pipl_user = owner permission view_instance_devops_adoption = owner permission manage_devops_adoption_namespaces = owner permission read_admin_role = owner permission create_admin_role = owner permission update_admin_role = owner permission delete_admin_role = owner permission destroy_licenses = owner permission export_user_permissions = owner permission manage_subscription = owner permission manage_duo_core_settings = owner permission read_duo_core_settings = owner permission manage_self_hosted_models_settings = owner permission read_self_hosted_models_settings = owner permission manage_ldap_admin_links = owner permission read_runner_upgrade_status = owner permission read_custom_attribute = owner permission update_custom_attribute = owner permission read_users_list = owner permission read_admin_users = owner permission read_admin_subscription = owner permission read_admin_system_information = owner permission read_admin_health_check = owner permission read_admin_background_jobs = owner permission read_admin_background_migrations = owner permission read_admin_cicd = owner permission read_admin_gitaly_servers = owner permission read_admin_metrics_dashboard = owner permission create_instance_runner = owner permission update_max_pages_size = owner permission delete_merge_train_car = maintainer + owner permission provision_cloud_runner = owner permission provision_gke_runner = owner permission list_subgroup_epics = reporter + developer + maintainer + owner permission get_user_associations_count = guest + reporter + developer + maintainer + owner permission make_profile_private = guest + reporter + developer + maintainer + owner permission disable_two_factor = owner permission delete_conversation_thread = owner permission audit_event_definitions = owner permission delete_tag = maintainer + owner permission update_deploy_token = maintainer + owner permission update_deploy_key = maintainer + owner permission update_deploy_key_title = maintainer + owner permission update_deploy_keys_project = maintainer + owner permission create_virtual_registry = owner permission update_virtual_registry = owner permission destroy_virtual_registry = owner permission admin_dependency_proxy_packages_settings = owner permission execute_duo_workflow_in_ci = developer + maintainer + owner permission link_forked_project = developer + maintainer + owner permission access_x_ray_on_instance = owner permission read_runner_manager = owner permission read_ephemeral_token = owner permission rotate_token = owner permission revoke_token = owner permission read_token = owner permission read_user_personal_access_tokens = owner permission create_user_personal_access_token = owner permission admin_user_email_address = owner permission read_user_email_address = owner permission read_user_groups = guest + reporter + developer + maintainer + owner permission read_user_membership_counts = guest + reporter + developer + maintainer + owner permission read_user_organizations = guest + reporter + developer + maintainer + owner permission read_user_preference = guest + reporter + developer + maintainer + owner permission read_user_profile = guest + reporter + developer + maintainer + owner permission update_name = guest + reporter + developer + maintainer + owner permission update_user = owner permission update_user_status = guest + reporter + developer + maintainer + owner permission destroy_user = owner permission update_user_achievement = owner permission update_owned_user_achievement = owner permission read_usage = owner permission view_type_of_work_charts = reporter + developer + maintainer + owner permission admin_import_source_user = owner permission create_group_with_default_branch_protection = owner permission create_group_via_api = owner permission update_escalation_status = developer + maintainer + owner permission view_package_registry_project_settings = reporter + developer + maintainer + owner permission admin_group_model_selection = owner permission edit_on_demand_dast_scan = developer + maintainer + owner permission edit_billing = owner permission edit_group_approval_rule = owner permission edit_approval_rule = maintainer + owner permission admin_software_license_policy = maintainer + owner permission read_software_license_policy = reporter + developer + maintainer + owner permission bulk_admin_epic = owner } definition user { relation organization_member: organization relation organization_owner: organization permission admin_user = user + organization_owner permission create_user_personal_access_token = user permission manage_user_personal_access_token = user permission read_user = user + organization_member + organization_owner // Additional user permissions permission read_user_profile = user permission read_user_preference = user permission read_user_email_address = user permission admin_user_email_address = user + organization_owner permission read_user_groups = user permission read_user_organizations = user permission read_user_membership_counts = user permission read_user_personal_access_tokens = user permission update_user = user permission update_user_status = user permission update_name = user permission destroy_user = user + organization_owner permission disable_two_factor = user + organization_owner permission make_profile_private = user permission get_user_associations_count = user permission create_saved_replies = user permission read_saved_replies = user permission update_saved_replies = user permission destroy_saved_replies = user permission create_snippet = user permission read_user_achievement = user permission update_user_achievement = user + organization_owner permission update_owned_user_achievement = user permission destroy_user_achievement = user + organization_owner permission receive_notifications = user permission log_in = user permission access_api = user permission access_git = user permission execute_graphql_mutation = user permission use_quick_actions = user permission use_slash_commands = user permission request_access = user permission export_user_permissions = organization_owner } // Wiki resource definition wiki_page { relation project: project relation group: group relation author: user permission read_wiki_page = project->read_wiki + group->read_wiki permission create_note = project->create_note + group->create_note permission read_note = project->read_note + group->read_note permission update_subscription = project->guest_access + group->guest_access } // Snippet resource definition snippet { relation project: project relation author: user relation namespace: user permission read_snippet = author + project->read_snippet permission admin_snippet = author + project->admin_snippet permission update_snippet = author + project->update_snippet permission cache_blob = author + project->guest_access permission create_note = author + project->create_note permission read_note = project->read_note permission award_emoji = project->guest_access } // Milestone resource definition milestone { relation project: project relation group: group permission read_milestone = project->read_milestone + group->read_milestone permission admin_milestone = project->admin_milestone + group->admin_milestone permission read_resource_milestone_event = project->read_resource_milestone_event + group->read_resource_milestone_event } // Label resource definition label { relation project: project relation group: group permission read_label = project->read_label + group->read_label permission admin_label = project->admin_label + group->admin_label permission read_resource_label_event = project->read_resource_label_event + group->read_resource_label_event } // Tag resource definition tag { relation project: project relation creator: user permission delete_tag = project->delete_tag permission admin_tag = project->admin_tag } // Branch resource definition branch { relation project: project permission create_branch_rule = project->create_branch_rule permission read_branch_rule = project->read_branch_rule permission update_branch_rule = project->update_branch_rule permission destroy_branch_rule = project->destroy_branch_rule } // Protected branch resource definition protected_branch { relation project: project permission create_protected_branch = project->create_protected_branch permission read_protected_branch = project->read_protected_branch permission update_protected_branch = project->update_protected_branch permission destroy_protected_branch = project->destroy_protected_branch permission admin_protected_branch = project->admin_protected_branch } // Protected tag resource definition protected_tag { relation project: project permission create_protected_tags = project->create_protected_tags permission read_protected_tags = project->read_protected_tags permission update_protected_tags = project->update_protected_tags permission destroy_protected_tags = project->destroy_protected_tags permission manage_protected_tags = project->manage_protected_tags } // Pipeline schedule resource definition pipeline_schedule { relation project: project relation owner: user permission read_pipeline_schedule = project->read_pipeline_schedule permission update_pipeline_schedule = owner + project->update_pipeline_schedule permission admin_pipeline_schedule = project->admin_pipeline_schedule permission play_pipeline_schedule = owner + project->play_pipeline_schedule permission take_ownership_pipeline_schedule = project->take_ownership_pipeline_schedule permission read_pipeline_schedule_variables = project->read_pipeline_schedule_variables } // Feature flag resource definition feature_flag { relation project: project permission create_feature_flag = project->create_feature_flag permission read_feature_flag = project->read_feature_flag permission update_feature_flag = project->update_feature_flag permission admin_feature_flag = project->admin_feature_flag permission destroy_feature_flag = project->destroy_feature_flag permission admin_feature_flags_client = project->admin_feature_flags_client permission admin_feature_flags_user_lists = project->admin_feature_flags_user_lists permission admin_feature_flags_issue_links = project->admin_feature_flags_issue_links } // Alert management resource definition alert { relation project: project permission read_alert_management_alert = project->read_alert_management_alert permission update_alert_management_alert = project->update_alert_management_alert permission read_alert_management_metric_image = project->read_alert_management_metric_image permission update_alert_management_metric_image = project->update_alert_management_metric_image permission upload_alert_management_metric_image = project->upload_alert_management_metric_image permission destroy_alert_management_metric_image = project->destroy_alert_management_metric_image } // Incident management resource definition incident { relation project: project permission read_incident_management_timeline_event = project->read_incident_management_timeline_event permission admin_incident_management_timeline_event = project->admin_incident_management_timeline_event permission edit_incident_management_timeline_event = project->edit_incident_management_timeline_event permission read_incident_management_timeline_event_tag = project->read_incident_management_timeline_event_tag permission admin_incident_management_timeline_event_tag = project->admin_incident_management_timeline_event_tag permission read_incident_management_escalation_policy = project->read_incident_management_escalation_policy permission admin_incident_management_escalation_policy = project->admin_incident_management_escalation_policy permission read_incident_management_oncall_schedule = project->read_incident_management_oncall_schedule permission admin_incident_management_oncall_schedule = project->admin_incident_management_oncall_schedule permission update_escalation_status = project->update_escalation_status } // On-demand DAST scan resource definition on_demand_dast_scan { relation project: project permission create_on_demand_dast_scan = project->create_on_demand_dast_scan permission read_on_demand_dast_scan = project->read_on_demand_dast_scan permission edit_on_demand_dast_scan = project->edit_on_demand_dast_scan } // Requirement resource definition requirement { relation project: project permission create_requirement = project->create_requirement permission read_requirement = project->read_requirement permission update_requirement = project->update_requirement permission admin_requirement = project->admin_requirement permission destroy_requirement = project->destroy_requirement } // Build resource definition build { relation project: project relation pipeline: pipeline relation user: user permission read_build = project->read_build permission read_build_trace = project->read_build_trace permission read_build_metadata = project->read_build_metadata permission read_job_artifacts = project->read_job_artifacts permission update_build = project->update_build permission cancel_build = user + project->cancel_build permission erase_build = project->erase_build permission play_job = project->play_job permission create_build_terminal = project->create_build_terminal permission read_web_ide_terminal = project->read_web_ide_terminal permission update_web_ide_terminal = project->update_web_ide_terminal permission create_build_service_proxy = project->create_build_service_proxy permission update_commit_status = project->update_commit_status } // CI job resource (enhanced) definition ci_job { relation pipeline: pipeline relation project: project relation runner: runner permission create_build = project->create_pipeline permission download_code = project->download_code permission read_build = project->read_build permission read_container_image = project->read_container_image permission read_project = project->read_project permission read_ci_minutes_limited_summary = project->read_ci_minutes_limited_summary permission jailbreak = project->jailbreak } // Pipeline resource (enhanced) definition pipeline { relation author: user relation ci_job_token: ci_job relation project: project permission admin_pipeline = project->admin_pipeline permission cancel_pipeline = project->developer + author permission read_pipeline = project->read_project permission update_pipeline = project->developer + author + ci_job_token permission destroy_pipeline = project->destroy_pipeline permission read_pipeline_metadata = project->read_pipeline_metadata permission read_pipeline_variable = project->read_pipeline_variable } // Runner resource (enhanced) definition runner { relation group: group relation instance: organization relation organization: organization relation project: project permission admin_runner = project->admin_runner + group->admin_runner + organization->admin_organization permission assign_runner = project->maintainer + group->maintainer + organization->admin permission read_runner = project->read_project + group->read + organization->read permission update_runner = project->admin_runner + group->admin_runner + organization->admin permission delete_runner = project->admin_runner + group->admin_runner + organization->admin permission read_builds = project->read_build + group->developer + organization->admin permission read_ephemeral_token = project->admin_runner + group->admin_runner + organization->admin } // Issue resource (enhanced) definition issue { relation assignee: user relation author: user relation epic: epic relation project: project permission admin_issue = project->admin_issue permission create_issue = project->create_issue permission promote_to_epic = project->reporter permission read_issue = project->read_project permission set_confidentiality = project->reporter permission update_issue = project->admin_issue + author + assignee permission reopen_issue = project->reopen_issue permission destroy_issue = project->destroy_issue permission clone_issue = project->clone_issue permission move_issue = project->move_issue permission set_issue_metadata = project->set_issue_metadata permission set_issue_crm_contacts = project->set_issue_crm_contacts permission set_issue_iid = project->set_issue_iid permission set_issue_created_at = project->set_issue_created_at permission set_issue_updated_at = project->set_issue_updated_at permission admin_issue_link = project->admin_issue_link permission read_issue_link = project->read_issue_link permission admin_issue_relation = project->admin_issue_relation permission create_note = project->create_note permission read_note = project->read_note permission admin_note = project->admin_note permission award_emoji = project->award_emoji permission create_todo = project->create_todo permission mark_note_as_internal = project->mark_note_as_internal permission read_crm_contacts = project->read_crm_contacts permission update_subscription = project->update_subscription } // Merge request resource (enhanced) definition merge_request { relation assignee: user relation author: user relation project: project relation reviewer: user permission accept_merge_request = project->accept_merge_request permission admin_merge_request = project->developer + author permission approve_merge_request = project->approve_merge_request + reviewer permission create_merge_request_from = project->create_merge_request_from permission read_merge_request = project->read_project permission update_merge_request = project->update_merge_request permission destroy_merge_request = project->destroy_merge_request permission reopen_merge_request = project->reopen_merge_request permission set_merge_request_metadata = project->set_merge_request_metadata permission create_merge_request_approval_rules = project->create_merge_request_approval_rules permission update_approvers = project->update_approvers permission reset_merge_request_approvals = project->reset_merge_request_approvals permission create_todo = project->create_todo permission mark_note_as_internal = project->mark_note_as_internal permission update_subscription = project->update_subscription permission access_generate_commit_message = project->access_generate_commit_message permission access_summarize_review = project->access_summarize_review permission provide_status_check_response = project->provide_status_check_response permission read_external_status_check_response = project->read_external_status_check_response permission retry_failed_status_checks = project->retry_failed_status_checks } // Epic resource (enhanced) definition epic { relation assignee: user relation author: user relation group: group permission admin_epic = group->admin_epic + author permission create_epic = group->reporter permission read_epic = group->read permission update_epic = group->admin_epic + author + assignee permission destroy_epic = group->owner permission set_epic_metadata = group->reporter permission set_epic_created_at = group->owner permission set_epic_updated_at = group->owner permission set_confidentiality = group->reporter permission admin_epic_relation = group->developer permission admin_epic_link_relation = group->developer permission admin_epic_tree_relation = group->developer permission create_epic_tree_relation = group->developer permission read_epic_iid = group->read permission read_epic_relation = group->read permission read_epic_link_relation = group->read permission create_note = group->create_note permission read_note = group->read_note permission admin_note = group->admin_note permission award_emoji = group->award_emoji permission create_todo = group->create_todo permission mark_note_as_internal = group->mark_note_as_internal permission measure_comment_temperature = group->measure_comment_temperature permission read_issuable = group->read permission read_issuable_participables = group->read permission resolve_note = group->developer permission summarize_comments = group->summarize_comments } // Work item resource (enhanced) definition work_item { relation assignee: user relation author: user relation project: project permission admin_work_item = project->admin_issue permission create_work_item = project->create_issue permission read_work_item = project->read_project permission update_work_item = project->admin_issue + author + assignee permission delete_work_item = project->owner permission clone_work_item = project->clone_work_item permission move_work_item = project->move_work_item permission set_work_item_metadata = project->set_work_item_metadata permission admin_work_item_link = project->admin_work_item_link permission admin_parent_link = project->admin_parent_link permission report_spam = project->report_spam } // Vulnerability resource (enhanced) definition vulnerability { relation author: user relation finding: finding relation project: project permission admin_vulnerability = project->admin_vulnerability permission create_vulnerability_feedback = project->create_vulnerability_feedback permission read_vulnerability = project->read_vulnerability permission read_vulnerability_representation_information = project->read_vulnerability_representation_information permission create_external_issue_link = project->create_external_issue_link } // Finding resource (enhanced) definition finding { relation project: project relation scanner: scanner permission admin_finding = project->admin_vulnerability permission read_finding = project->read_vulnerability permission read_finding_token_status = project->read_finding_token_status } // Container repository resource (enhanced) definition container_repository { relation group: group relation project: project permission admin_container_image = project->admin_container_image permission destroy_container_image = project->admin_container_image permission read_container_image = project->read_container_image + group->read_container_image permission create_container_image = project->create_container_image permission update_container_image = project->update_container_image permission destroy_container_image_tag = project->destroy_container_image_tag } // Package resource (enhanced) definition package { relation group: group relation project: project permission admin_package = project->admin_package + group->admin_package permission create_package = project->developer permission destroy_package = project->admin_package permission read_package = project->read_package + group->read_package permission read_package_within_public_registries = project->read_package_within_public_registries + group->read_package_within_public_registries } // Environment resource (enhanced) definition environment { relation deployment: deployment relation project: project permission admin_environment = project->maintainer permission read_environment = project->read_project permission stop_environment = project->developer permission create_environment = project->create_environment permission update_environment = project->update_environment permission destroy_environment = project->destroy_environment permission create_environment_terminal = project->create_environment_terminal } // Deployment resource (enhanced) definition deployment { relation author: user relation environment: environment relation project: project permission admin_deployment = project->maintainer permission approve_deployment = project->maintainer permission read_deployment = project->read_project permission create_deployment = project->create_deployment permission update_deployment = project->update_deployment permission destroy_deployment = project->destroy_deployment permission read_pages_deployments = project->read_pages_deployments permission update_pages_deployments = project->update_pages_deployments } // Member role resource (enhanced) definition member_role { relation group: group relation organization: organization permission admin_member_role = group->owner + organization->admin permission read_member_role = group->read + organization->read permission delete_admin_role = organization->admin permission read_admin_role = organization->admin permission update_admin_role = organization->admin } // Compliance framework resource (enhanced) definition compliance_framework { relation group: group relation organization: organization permission admin_compliance_framework = group->admin_compliance_framework + organization->admin_compliance_framework permission read_compliance_framework = group->read + organization->read permission admin_compliance_pipeline_configuration = group->admin_compliance_pipeline_configuration } // Audit event resource (enhanced) definition audit_event { relation group: group relation project: project relation organization: organization permission admin_external_audit_events = group->owner + organization->admin_external_audit_events permission read_audit_event = group->owner + project->owner + organization->admin permission read_admin_audit_log = organization->admin permission admin_instance_external_audit_events = organization->admin permission audit_event_definitions = organization->admin } // Deploy token resource (enhanced) definition deploy_token { relation project: project relation group: group permission read_registry = project->read_container_image + group->read_container_image permission read_repository = project->read_code + group->read_code permission write_registry = project->developer + group->developer permission create_deploy_token = project->create_deploy_token + group->create_deploy_token permission update_deploy_token = project->update_deploy_token + group->manage_deploy_tokens } // Personal access token resource (enhanced) definition personal_access_token { relation user: user relation organization: organization permission admin_token = user->user + organization->admin permission use_token = user->user + organization->member permission read_token = user->user permission revoke_token = user->user + organization->admin permission rotate_token = user->user } // Scanner resource (enhanced) definition scanner { relation project: project relation group: group permission admin_scanner = project->admin_vulnerability + group->admin_vulnerability permission read_scanner = project->read_project + group->read permission read_scan = project->read_scan } // Note resource definition note { relation project: project relation group: group relation author: user relation noteable_issue: issue relation noteable_merge_request: merge_request relation noteable_epic: epic permission read_note = project->read_note + group->read_note + author permission admin_note = project->admin_note + group->admin_note + author permission update_note = author + project->admin_note + group->admin_note permission resolve_note = project->resolve_note + group->resolve_note permission reposition_note = project->reposition_note + group->reposition_note permission mark_note_as_internal = project->mark_note_as_internal + group->mark_note_as_internal permission award_emoji = project->award_emoji + group->award_emoji } // Todo resource definition todo { relation user: user relation project: project relation group: group permission read_todo = user permission update_todo = user } // Timelog resource definition timelog { relation project: project relation group: group relation user: user permission admin_timelog = project->admin_timelog + group->admin_timelog permission create_timelog = project->create_timelog + group->create_timelog } // Custom emoji resource definition custom_emoji { relation group: group relation creator: user permission read_custom_emoji = group->read_custom_emoji permission delete_custom_emoji = group->delete_custom_emoji + creator } // Saved reply resource definition saved_reply { relation user: user relation project: project relation group: group permission create_saved_replies = user + project->create_saved_replies + group->create_saved_replies permission read_saved_replies = user + project->read_saved_replies + group->read_saved_replies permission update_saved_replies = user + project->update_saved_replies + group->update_saved_replies permission destroy_saved_replies = user + project->destroy_saved_replies + group->destroy_saved_replies } // Achievement resource definition achievement { relation namespace: group relation user: user permission read_achievement = namespace->read_achievement permission admin_achievement = namespace->admin_achievement permission award_achievement = namespace->award_achievement permission read_user_achievement = user permission update_user_achievement = namespace->admin_achievement permission update_owned_user_achievement = user permission destroy_user_achievement = namespace->admin_achievement } // Virtual registry resource definition virtual_registry { relation group: group permission read_virtual_registry = group->read_virtual_registry permission create_virtual_registry = group->create_virtual_registry permission update_virtual_registry = group->update_virtual_registry permission destroy_virtual_registry = group->destroy_virtual_registry } // Workspace resource definition workspace { relation project: project relation user: user permission create_workspace = project->create_workspace permission read_workspace = project->read_workspace + user permission update_workspace = project->update_workspace + user permission read_workspace_variable = project->read_workspace_variable permission read_workspaces_agent_config = project->read_workspaces_agent_config permission access_workspaces_feature = project->access_workspaces_feature permission read_all_workspaces = project->owner } // CRM contact resource definition crm_contact { relation group: group permission read_crm_contact = group->read_crm_contact permission admin_crm_contact = group->admin_crm_contact } // CRM organization resource definition crm_organization { relation group: group permission read_crm_organization = group->read_crm_organization permission admin_crm_organization = group->admin_crm_organization } // Custom field resource definition custom_field { relation project: project relation group: group permission read_custom_field = project->read_custom_field + group->read_custom_field permission admin_custom_field = project->admin_custom_field + group->admin_custom_field } // Duo workflow resource definition duo_workflow { relation group: group relation project: project permission admin_duo_workflow = group->admin_duo_workflow permission read_duo_workflow = group->read_duo_workflow + project->duo_workflow permission update_duo_workflow = group->update_duo_workflow permission destroy_duo_workflow = group->destroy_duo_workflow permission execute_duo_workflow_in_ci = group->execute_duo_workflow_in_ci + project->execute_duo_workflow_in_ci permission read_duo_workflow_event = group->read_duo_workflow_event + project->read_duo_workflow_event } // Group stage resource definition group_stage { relation group: group permission create_group_stage = group->create_group_stage permission read_group_stage = group->read_group_stage permission update_group_stage = group->update_group_stage permission delete_group_stage = group->delete_group_stage } // Resource access token resource definition resource_access_token { relation project: project relation group: group permission read_resource_access_tokens = project->read_resource_access_tokens + group->read_resource_access_tokens permission create_resource_access_tokens = project->create_resource_access_tokens + group->create_resource_access_tokens permission destroy_resource_access_tokens = project->destroy_resource_access_tokens + group->destroy_resource_access_tokens permission manage_resource_access_tokens = project->manage_resource_access_tokens + group->manage_resource_access_tokens } // Cluster resource definition cluster { relation project: project relation group: group relation instance: organization permission read_cluster = project->read_cluster + group->read_cluster + instance->read permission add_cluster = project->add_cluster + group->add_cluster + instance->admin permission create_cluster = project->create_cluster + group->create_cluster + instance->admin permission update_cluster = project->update_cluster + group->update_cluster + instance->admin permission admin_cluster = project->admin_cluster + group->admin_cluster + instance->admin permission read_cluster_environments = project->read_cluster_environments + group->read_cluster_environments + instance->read permission use_k = project->use_k + group->use_k + instance->admin } // Cluster agent resource definition cluster_agent { relation project: project relation group: group relation organization: organization permission read_cluster_agent = project->read_cluster_agent + group->read_cluster_agent + organization->read_organization_cluster_agent_mapping permission admin_namespace_cluster_agent_mapping = group->admin_namespace_cluster_agent_mapping permission admin_organization_cluster_agent_mapping = organization->admin_organization_cluster_agent_mapping permission read_namespace_cluster_agent_mapping = group->read_namespace_cluster_agent_mapping permission read_organization_cluster_agent_mapping = organization->read_organization_cluster_agent_mapping } // Service account resource definition service_account { relation organization: organization relation group: group permission admin_service_accounts = organization->admin_service_accounts + group->admin_service_accounts permission create_service_account = organization->create_service_account + group->create_service_account permission delete_service_account = organization->delete_service_account + group->delete_service_account permission admin_service_account_member = group->admin_service_account_member } // Import source user resource definition source_user { relation namespace: group permission admin_import_source_user = namespace->owner } // Admin role resource definition admin_role { relation organization: organization permission read_admin_role = organization->admin permission create_admin_role = organization->admin permission update_admin_role = organization->admin permission delete_admin_role = organization->admin } // Terms resource definition term { relation user: user permission accept_terms = user permission decline_terms = user } // SAML provider resource definition saml_provider { relation group: group permission sign_in_with_saml_provider = group->guest_access permission admin_group_saml = group->admin_group_saml permission read_group_saml_identity = group->read_group_saml_identity permission admin_saml_group_links = group->admin_saml_group_links permission read_saml_user = group->read_saml_user } // Thread resource (for conversations) definition thread { relation user: user permission delete_conversation_thread = user } // Global resource for instance-wide permissions definition global { relation admin: user relation user: user permission access_admin_area = admin permission access_api = user permission access_git = user permission access_code_suggestions = user permission access_duo_chat = user permission access_duo_core_features = user permission access_glab_ask_git_command = user permission access_workspaces_feature = user permission access_x_ray_on_instance = admin permission admin_instance_external_audit_events = admin permission admin_member_role = admin permission admin_service_accounts = admin permission admin_web_hook = admin permission approve_user = admin permission create_admin_role = admin permission create_group = user permission create_group_via_api = user permission create_group_with_default_branch_protection = admin permission create_instance_runner = admin permission create_organization = admin permission create_snippet = user permission destroy_licenses = admin permission execute_graphql_mutation = user permission export_user_permissions = admin permission log_in = user permission manage_devops_adoption_namespaces = admin permission manage_duo_core_settings = admin permission manage_ldap_admin_links = admin permission manage_self_hosted_models_settings = admin permission manage_subscription = admin permission read_admin_audit_log = admin permission read_admin_background_jobs = admin permission read_admin_background_migrations = admin permission read_admin_cicd = admin permission read_admin_gitaly_servers = admin permission read_admin_health_check = admin permission read_admin_metrics_dashboard = admin permission read_admin_role = admin permission read_admin_subscription = admin permission read_admin_system_information = admin permission read_admin_users = admin permission read_all_geo = admin permission read_all_workspaces = admin permission read_application_statistics = admin permission read_billable_member = admin permission read_cloud_connector_status = admin permission read_custom_attribute = admin permission read_instance_metadata = admin permission read_jobs_statistics = admin permission read_licenses = admin permission read_member_role = admin permission read_operations_dashboard = admin permission read_runner_upgrade_status = admin permission read_runner_usage = admin permission read_usage_trends_measurement = admin permission read_users_list = admin permission read_web_hook = admin permission receive_notifications = user permission reject_user = admin permission update_custom_attribute = admin permission update_max_pages_size = admin permission use_project_statistics_filters = user permission use_quick_actions = user permission use_slash_commands = user permission view_instance_devops_adoption = admin permission view_member_roles = user permission view_productivity_analytics = user permission read_duo_core_settings = admin permission read_self_hosted_models_settings = admin }