path: root/etc/authzd/spice.schema

// Comprehensive GitLab SpiceDB Schema
// Based on systematic analysis of 798 GitLab permissions from 487+ policy files
// Includes all permissions from app/policies and ee/app/policies
// Full support for CI_JOB_TOKEN permissions and Custom Roles

definition organization {
  relation admin: user
  relation member: user
  relation owner: user

  // Core permissions
  permission read = member + admin + owner
  permission admin_organization = admin + owner
  permission create_group = member + admin + owner
  permission admin_compliance_framework = admin + owner
  permission admin_external_audit_events = admin + owner
  
  // Additional organization permissions
  permission create_organization = admin + owner
  permission admin_instance_external_audit_events = admin + owner
  permission read_organization = member + admin + owner
  permission read_all_organization_resources = admin + owner
  permission admin_service_accounts = admin + owner
  permission create_service_account = admin + owner
  permission delete_service_account = admin + owner
  permission admin_organization_cluster_agent_mapping = admin + owner
  permission read_organization_cluster_agent_mapping = member + admin + owner
  permission read_organization_user = member + admin + owner
  permission update_organization_user = admin + owner
  permission remove_user = admin + owner
  permission delete_user = admin + owner
  permission admin_add_on_purchase = admin + owner
  permission manage_destroy = admin + owner
}

definition group {
  relation developer: user
  relation group_bot: user
  relation guest: user
  relation maintainer: user
  relation organization: organization
  relation owner: user
  relation parent_group: group
  relation planner: user
  relation reporter: user
  relation service_account: user

  // Core access permissions
  permission read = guest + reporter + developer + maintainer + owner + organization->member + parent_group->read
  permission read_group = guest + reporter + developer + maintainer + owner + organization->member + parent_group->read
  permission guest_access = guest + reporter + developer + maintainer + owner
  permission reporter_access = reporter + developer + maintainer + owner
  permission developer_access = developer + maintainer + owner
  permission maintainer_access = maintainer + owner
  permission owner_access = owner
  permission planner_access = planner + reporter + developer + maintainer + owner
  permission project_bot_access = group_bot

  // Administrative permissions
  permission admin_group = owner + organization->admin_organization
  permission admin_group_member = maintainer + owner
  permission admin_compliance_framework = owner + organization->admin_compliance_framework
  permission admin_epic = reporter + developer + maintainer + owner
  permission admin_cicd_variables = maintainer + owner
  permission admin_runner = owner
  permission admin_vulnerability = developer + maintainer + owner
  permission archive_group = owner
  permission remove_group = owner
  permission change_visibility_level = owner
  
  // Wiki permissions
  permission create_wiki = developer + maintainer + owner
  permission admin_wiki = maintainer + owner
  permission read_wiki = guest + reporter + developer + maintainer + owner
  permission download_wiki_code = reporter + developer + maintainer + owner

  // Milestone and iteration permissions
  permission admin_milestone = reporter + developer + maintainer + owner
  permission read_milestone = guest + reporter + developer + maintainer + owner
  permission create_milestone = reporter + developer + maintainer + owner
  permission admin_iteration = reporter + developer + maintainer + owner
  permission read_iteration = guest + reporter + developer + maintainer + owner
  permission create_iteration = developer + maintainer + owner
  permission admin_iteration_cadence = developer + maintainer + owner
  permission read_iteration_cadence = guest + reporter + developer + maintainer + owner
  permission create_iteration_cadence = developer + maintainer + owner

  // Label permissions
  permission admin_label = reporter + developer + maintainer + owner
  permission read_label = guest + reporter + developer + maintainer + owner
  permission read_group_labels = guest + reporter + developer + maintainer + owner

  // Issue board permissions
  permission admin_issue_board = reporter + developer + maintainer + owner
  permission read_issue_board = guest + reporter + developer + maintainer + owner
  permission admin_issue_board_list = reporter + developer + maintainer + owner
  permission read_issue_board_list = guest + reporter + developer + maintainer + owner

  // Epic board permissions (EE)
  permission admin_epic_board = reporter + developer + maintainer + owner
  permission read_epic_board = guest + reporter + developer + maintainer + owner
  permission admin_epic_board_list = reporter + developer + maintainer + owner
  permission read_epic_board_list = guest + reporter + developer + maintainer + owner

  // Package and container permissions
  permission admin_package = maintainer + owner
  permission read_package = guest + reporter + developer + maintainer + owner
  permission create_package = developer + maintainer + owner
  permission destroy_package = maintainer + owner
  permission read_container_image = guest + reporter + developer + maintainer + owner

  // Security permissions
  permission read_security_dashboard = reporter + developer + maintainer + owner
  permission read_group_security_dashboard = reporter + developer + maintainer + owner
  permission access_security_and_compliance = developer + maintainer + owner
  permission admin_vulnerability = developer + maintainer + owner
  permission read_vulnerability = reporter + developer + maintainer + owner
  permission resolve_vulnerability_with_ai = developer + maintainer + owner

  // Analytics permissions
  permission read_group_analytics_dashboards = reporter + developer + maintainer + owner
  permission view_productivity_analytics = reporter + developer + maintainer + owner
  permission read_group_activity_analytics = reporter + developer + maintainer + owner
  permission read_group_contribution_analytics = reporter + developer + maintainer + owner
  permission read_group_repository_analytics = reporter + developer + maintainer + owner
  permission view_group_devops_adoption = reporter + developer + maintainer + owner
  permission view_group_ci_cd_analytics = reporter + developer + maintainer + owner
  permission read_ci_cd_analytics = reporter + developer + maintainer + owner
  permission read_group_build_report_results = reporter + developer + maintainer + owner
  permission read_group_coverage_reports = reporter + developer + maintainer + owner
  
  // Compliance permissions
  permission read_compliance_dashboard = reporter + developer + maintainer + owner
  permission admin_compliance_pipeline_configuration = owner
  permission read_compliance_adherence_report = developer + maintainer + owner
  permission read_compliance_violations_report = developer + maintainer + owner
  permission read_group_audit_events = owner

  // Member management
  permission admin_member_access_request = maintainer + owner
  permission read_member_access_request = guest + reporter + developer + maintainer + owner
  permission invite_group_members = maintainer + owner
  permission override_group_member = owner
  permission activate_group_member = maintainer + owner
  permission ban_group_member = owner
  permission destroy_group_member = owner
  permission update_group_member = maintainer + owner

  // Service account permissions
  permission admin_service_account_member = owner
  permission create_service_account = owner
  permission delete_service_account = owner

  // Runner permissions
  permission register_group_runners = maintainer + owner
  permission admin_group_or_admin_runner = owner
  permission read_group_runners = reporter + developer + maintainer + owner
  permission read_group_all_available_runners = reporter + developer + maintainer + owner

  // CRM permissions (EE)
  permission admin_crm_contact = reporter + developer + maintainer + owner
  permission read_crm_contact = guest + reporter + developer + maintainer + owner
  permission admin_crm_organization = reporter + developer + maintainer + owner
  permission read_crm_organization = guest + reporter + developer + maintainer + owner

  // Custom field permissions (EE)
  permission admin_custom_field = owner
  permission read_custom_field = guest + reporter + developer + maintainer + owner

  // Deploy token permissions
  permission create_deploy_token = maintainer + owner
  permission read_deploy_token = maintainer + owner
  permission destroy_deploy_token = maintainer + owner
  permission manage_deploy_tokens = maintainer + owner
  permission update_group_deploy_key = maintainer + owner
  permission update_group_deploy_key_for_group = maintainer + owner

  // Dependency proxy permissions
  permission admin_dependency_proxy = owner
  permission read_dependency_proxy = guest + reporter + developer + maintainer + owner

  // AI/Duo permissions
  permission access_duo_features = developer + maintainer + owner
  permission access_duo_chat = developer + maintainer + owner
  permission access_ai_review_mr = developer + maintainer + owner
  permission admin_duo_workflow = owner
  permission read_duo_workflow = developer + maintainer + owner
  permission update_duo_workflow = maintainer + owner
  permission destroy_duo_workflow = owner
  permission execute_duo_workflow_in_ci = developer + maintainer + owner

  // Group settings permissions
  permission change_share_with_group_lock = owner
  permission change_prevent_sharing_groups_outside_hierarchy = owner
  permission change_prevent_group_forking = owner
  permission set_emails_disabled = owner
  permission set_show_diff_preview_in_email = owner
  permission change_new_user_signups_cap = owner
  permission change_seat_control = owner

  // Additional permissions
  permission create_projects = maintainer + owner
  permission transfer_projects = owner
  permission import_projects = owner
  permission admin_namespace = owner
  permission read_namespace = guest + reporter + developer + maintainer + owner
  permission admin_namespace_cluster_agent_mapping = owner
  permission read_namespace_cluster_agent_mapping = guest + reporter + developer + maintainer + owner
  permission create_subgroup = owner
  permission list_subgroup_epics = reporter + developer + maintainer + owner
  permission admin_integrations = owner
  permission read_group_member = guest + reporter + developer + maintainer + owner
  permission read_group_metadata = guest + reporter + developer + maintainer + owner
  permission read_group_activity = guest + reporter + developer + maintainer + owner
  permission read_group_issues = guest + reporter + developer + maintainer + owner
  permission read_group_merge_requests = guest + reporter + developer + maintainer + owner
  permission read_group_milestones = guest + reporter + developer + maintainer + owner
  permission read_group_boards = guest + reporter + developer + maintainer + owner
  permission read_group_release_stats = reporter + developer + maintainer + owner
  permission read_group_credentials_inventory = owner
  permission admin_group_credentials_inventory = owner
  permission create_custom_emoji = developer + maintainer + owner
  permission read_custom_emoji = guest + reporter + developer + maintainer + owner
  permission delete_custom_emoji = owner
  permission upload_file = guest + reporter + developer + maintainer + owner
  permission read_upload = guest + reporter + developer + maintainer + owner
  permission destroy_upload = maintainer + owner
  permission admin_upload = owner
  permission create_group_stage = owner
  permission read_group_stage = guest + reporter + developer + maintainer + owner
  permission update_group_stage = owner
  permission delete_group_stage = owner
  permission admin_ldap_group_links = owner
  permission admin_saml_group_links = owner
  permission admin_group_saml = owner
  permission read_group_saml_identity = owner
  permission create_jira_connect_subscription = owner
  permission read_billable_member = owner
  permission read_billing = owner
  permission edit_billing = owner
  permission start_trial = owner
  permission admin_licensed_seat = owner
  permission update_subscription_limit = owner
  permission read_usage_quotas = owner
  permission admin_push_rules = owner
  permission change_push_rules = owner
  permission change_commit_committer_check = owner
  permission change_commit_committer_name_check = owner
  permission change_reject_unsigned_commits = owner
  permission change_reject_non_dco_commits = owner
  permission enable_secret_push_protection = owner
  permission read_saml_user = owner
  permission read_limit_alert = owner
  permission read_licenses = owner
  permission read_dependency = guest + reporter + developer + maintainer + owner
  permission read_lifecycle = reporter + developer + maintainer + owner
  permission read_counts = reporter + developer + maintainer + owner
  permission manage_merge_request_settings = owner
  permission update_approval_rule = owner
  permission export_group_memberships = owner
  permission rollover_issues = owner
  permission admin_achievement = owner
  permission read_achievement = guest + reporter + developer + maintainer + owner
  permission award_achievement = owner
  permission read_insights = reporter + developer + maintainer + owner
  permission read_resource_access_tokens = maintainer + owner
  permission create_resource_access_tokens = owner
  permission destroy_resource_access_tokens = owner
  permission manage_resource_access_tokens = owner
  permission admin_setting_to_allow_resource_access_token_creation = owner
  permission read_member_role = guest + reporter + developer + maintainer + owner
  permission admin_member_role = owner
  permission view_member_roles = guest + reporter + developer + maintainer + owner
  permission generate_description = developer + maintainer + owner
  permission read_virtual_registry = guest + reporter + developer + maintainer + owner
  permission create_virtual_registry = owner
  permission update_virtual_registry = owner
  permission destroy_virtual_registry = owner
  permission create_saved_replies = developer + maintainer + owner
  permission read_saved_replies = guest + reporter + developer + maintainer + owner
  permission update_saved_replies = developer + maintainer + owner
  permission destroy_saved_replies = developer + maintainer + owner
  permission admin_value_stream = owner
  permission modify_value_stream_dashboard_settings = owner
  permission read_internal_note = reporter + developer + maintainer + owner
  permission read_note = guest + reporter + developer + maintainer + owner
  permission create_note = guest + reporter + developer + maintainer + owner
  permission admin_note = maintainer + owner
  permission mark_note_as_internal = reporter + developer + maintainer + owner
  permission award_emoji = guest + reporter + developer + maintainer + owner
  permission admin_web_hook = owner
  permission read_web_hook = maintainer + owner
  permission manage_devops_adoption_namespaces = owner
  permission provision_cloud_runner = owner
  permission provision_gke_runner = owner
  permission read_runner_cloud_provisioning_info = owner
  permission read_runner_gke_provisioning_info = owner
  permission use_k = developer + maintainer + owner
  permission view_type_of_work_charts = reporter + developer + maintainer + owner
  permission view_edit_page = developer + maintainer + owner
  permission view_globally = guest + reporter + developer + maintainer + owner
  permission summarize_comments = developer + maintainer + owner
  permission set_note_created_at = owner
  permission set_issue_created_at = owner
  permission set_issue_updated_at = owner
  permission set_epic_created_at = owner
  permission set_epic_updated_at = owner
  permission set_show_default_award_emojis = owner
  permission set_warn_about_potentially_unwanted_characters = owner
  permission measure_comment_temperature = developer + maintainer + owner
  permission read_product_analytics = reporter + developer + maintainer + owner
  permission modify_product_analytics_settings = owner
  permission read_harbor_registry = reporter + developer + maintainer + owner
  permission read_cluster = reporter + developer + maintainer + owner
  permission admin_cluster = owner
  permission create_cluster = owner
  permission update_cluster = owner
  permission add_cluster = owner
  permission read_cluster_agent = reporter + developer + maintainer + owner
  permission read_cluster_environments = reporter + developer + maintainer + owner
  permission read_prometheus = reporter + developer + maintainer + owner
  permission read_grafana = reporter + developer + maintainer + owner
  permission admin_protected_environments = owner
  permission export_work_items = reporter + developer + maintainer + owner
  permission import_work_items = developer + maintainer + owner
  permission admin_work_item = reporter + developer + maintainer + owner
  permission read_work_item = guest + reporter + developer + maintainer + owner
  permission create_work_item = guest + reporter + developer + maintainer + owner
  permission update_work_item = reporter + developer + maintainer + owner
  permission admin_issue = reporter + developer + maintainer + owner
  permission read_issue = guest + reporter + developer + maintainer + owner
  permission create_issue = guest + reporter + developer + maintainer + owner
  permission update_issue = reporter + developer + maintainer + owner
  permission destroy_issue = owner
  permission reopen_issue = reporter + developer + maintainer + owner
  permission create_task = guest + reporter + developer + maintainer + owner
  permission create_key_result = developer + maintainer + owner
  permission create_objective = developer + maintainer + owner
  permission set_issue_metadata = reporter + developer + maintainer + owner
  permission set_work_item_metadata = reporter + developer + maintainer + owner
  permission clone_issue = reporter + developer + maintainer + owner
  permission clone_work_item = reporter + developer + maintainer + owner
  permission move_issue = reporter + developer + maintainer + owner
  permission move_work_item = reporter + developer + maintainer + owner
  permission admin_merge_request = developer + maintainer + owner
  permission update_merge_request = developer + maintainer + owner
  permission create_epic_tree_relation = developer + maintainer + owner
  permission admin_epic_relation = developer + maintainer + owner
  permission admin_epic_link_relation = developer + maintainer + owner
  permission admin_epic_tree_relation = developer + maintainer + owner
  permission bulk_admin_epic = owner
  permission read_epic_iid = guest + reporter + developer + maintainer + owner
  permission read_epic_relation = guest + reporter + developer + maintainer + owner
  permission read_epic_link_relation = guest + reporter + developer + maintainer + owner
  permission set_epic_metadata = reporter + developer + maintainer + owner
  permission set_confidentiality = reporter + developer + maintainer + owner
  permission create_timelog = reporter + developer + maintainer + owner
  permission admin_timelog = owner
  permission read_timelog_category = guest + reporter + developer + maintainer + owner
  permission read_issuable = guest + reporter + developer + maintainer + owner
  permission read_issuable_participables = guest + reporter + developer + maintainer + owner
  permission create_todo = guest + reporter + developer + maintainer + owner
  permission update_todo = guest + reporter + developer + maintainer + owner
  permission read_todo = guest + reporter + developer + maintainer + owner
  permission update_subscription = guest + reporter + developer + maintainer + owner
  permission reopen_merge_request = developer + maintainer + owner
  permission resolve_note = developer + maintainer + owner
  permission reposition_note = developer + maintainer + owner
  permission request_access = guest
  permission withdraw_member_access_request = guest + reporter + developer + maintainer + owner
  permission read_shared_with_group = guest + reporter + developer + maintainer + owner
  permission update_default_branch_protection = owner
  permission update_git_access_protocol = owner
  permission update_max_artifacts_size = owner
  permission read_statistics = reporter + developer + maintainer + owner
  permission read_cycle_analytics = reporter + developer + maintainer + owner
  permission read_design_activity = reporter + developer + maintainer + owner
  permission read_namespace_via_membership = guest + reporter + developer + maintainer + owner
  permission read_nested_project_resources = guest + reporter + developer + maintainer + owner
  permission read_namespace_catalog = guest + reporter + developer + maintainer + owner
  permission read_dora = reporter + developer + maintainer + owner
  permission read_enterprise_ai_analytics = reporter + developer + maintainer + owner
  permission read_pro_ai_analytics = reporter + developer + maintainer + owner
  permission read_security_inventory = developer + maintainer + owner
  permission read_security_configuration = developer + maintainer + owner
  permission read_security_orchestration_policies = developer + maintainer + owner
  permission read_security_orchestration_policy_project = developer + maintainer + owner
  permission update_security_orchestration_policy_project = owner
  permission modify_security_policy = owner
  permission admin_security_testing = owner
  permission enable_continuous_vulnerability_scans = owner
  permission configure_secret_detection_validity_checks = owner
  permission read_secret_detection_validity_checks_status = developer + maintainer + owner
  permission read_secret_push_protection_info = developer + maintainer + owner
  permission admin_merge_request_approval_settings = owner
  permission modify_approvers_rules = owner
  permission modify_merge_request_author_setting = owner
  permission modify_merge_request_committer_setting = owner
  permission edit_group_approval_rule = owner
  permission read_group_approval_rule = reporter + developer + maintainer + owner
  permission create_vulnerability_export = developer + maintainer + owner
  permission read_vulnerability_export = developer + maintainer + owner
  permission read_vulnerability_statistics = reporter + developer + maintainer + owner
  permission read_jobs_statistics = reporter + developer + maintainer + owner
  permission read_runner_usage = owner
  permission read_runners_registration_token = owner
  permission update_runners_registration_token = owner
  permission read_package_within_public_registries = guest + reporter + developer + maintainer + owner
  permission read_code = guest + reporter + developer + maintainer + owner
  permission read_resource_state_event = guest + reporter + developer + maintainer + owner
  permission read_resource_weight_event = guest + reporter + developer + maintainer + owner
  permission read_resource_iteration_event = guest + reporter + developer + maintainer + owner
  permission read_resource_milestone_event = guest + reporter + developer + maintainer + owner
  permission read_resource_label_event = guest + reporter + developer + maintainer + owner
  permission admin_group_model_selection = owner
  permission read_event = guest + reporter + developer + maintainer + owner
  permission use_quick_actions = guest + reporter + developer + maintainer + owner
  permission use_slash_commands = guest + reporter + developer + maintainer + owner
  permission receive_notifications = guest + reporter + developer + maintainer + owner
}

definition project {
  relation ci_job_token: ci_job
  relation deploy_token: deploy_token
  relation developer: user
  relation group: group
  relation guest: user
  relation internal_access: user
  relation maintainer: user
  relation namespace: user
  relation owner: user
  relation planner: user
  relation project_bot: user
  relation public_access: user:*
  relation reporter: user

  // Core access permissions
  permission read_project = guest + reporter + developer + maintainer + owner + group->read + namespace->read + public_access + internal_access
  permission guest_access = guest + reporter + developer + maintainer + owner
  permission reporter_access = reporter + developer + maintainer + owner
  permission developer_access = developer + maintainer + owner
  permission maintainer_access = maintainer + owner
  permission owner_access = owner
  permission planner_access = planner + reporter + developer + maintainer + owner
  permission public_access = public_access
  permission public_user_access = public_access + internal_access
  permission project_bot_access = project_bot
  permission build_read_project = ci_job_token
  permission read_project_for_iids = guest + reporter + developer + maintainer + owner + group->read

  // Administrative permissions
  permission admin_project = owner + group->admin_group
  permission archive_project = owner
  permission remove_project = owner + group->admin_group
  permission change_visibility_level = owner + group->admin_group
  permission change_namespace = owner
  permission rename_project = maintainer + owner
  permission set_emails_disabled = owner
  permission set_show_diff_preview_in_email = owner
  permission set_show_default_award_emojis = owner
  permission set_warn_about_potentially_unwanted_characters = owner
  permission manage_owners = owner

  // Code and repository permissions
  permission read_code = guest + reporter + developer + maintainer + owner + ci_job_token + deploy_token + group->read
  permission download_code = guest + reporter + developer + maintainer + owner + ci_job_token + deploy_token
  permission build_download_code = guest + ci_job_token
  permission download_code_spp_repository = developer + maintainer + owner
  permission push_code = developer + maintainer + owner
  permission build_push_code = ci_job_token
  permission push_code_to_protected_branches = maintainer + owner
  permission push_to_delete_protected_branch = maintainer + owner
  permission fork_project = reporter + developer + maintainer + owner
  permission link_forked_project = developer + maintainer + owner
  permission remove_fork_project = owner

  // Wiki permissions
  permission create_wiki = developer + maintainer + owner
  permission admin_wiki = maintainer + owner
  permission read_wiki = guest + reporter + developer + maintainer + owner
  permission read_wiki_page = guest + reporter + developer + maintainer + owner
  permission download_wiki_code = reporter + developer + maintainer + owner

  // Snippet permissions
  permission create_snippet = developer + maintainer + owner
  permission admin_snippet = maintainer + owner
  permission read_snippet = guest + reporter + developer + maintainer + owner
  permission update_snippet = maintainer + owner

  // Milestone permissions
  permission admin_milestone = reporter + developer + maintainer + owner
  permission read_milestone = guest + reporter + developer + maintainer + owner
  permission read_resource_milestone_event = guest + reporter + developer + maintainer + owner

  // Label permissions
  permission admin_label = reporter + developer + maintainer + owner
  permission read_label = guest + reporter + developer + maintainer + owner
  permission read_resource_label_event = guest + reporter + developer + maintainer + owner

  // Branch and tag permissions
  permission admin_tag = maintainer + owner
  permission delete_tag = maintainer + owner
  permission create_branch_rule = maintainer + owner
  permission read_branch_rule = guest + reporter + developer + maintainer + owner
  permission update_branch_rule = maintainer + owner
  permission destroy_branch_rule = owner
  permission admin_protected_branch = maintainer + owner
  permission create_protected_branch = maintainer + owner
  permission read_protected_branch = guest + reporter + developer + maintainer + owner
  permission update_protected_branch = maintainer + owner
  permission destroy_protected_branch = owner
  permission create_protected_tags = maintainer + owner
  permission read_protected_tags = guest + reporter + developer + maintainer + owner
  permission update_protected_tags = maintainer + owner
  permission destroy_protected_tags = owner
  permission manage_protected_tags = maintainer + owner
  permission admin_target_branch_rule = owner
  permission read_target_branch_rule = guest + reporter + developer + maintainer + owner
  permission update_squash_option = developer + maintainer + owner
  permission create_squash_option = developer + maintainer + owner
  permission read_squash_option = guest + reporter + developer + maintainer + owner
  permission destroy_squash_option = owner

  // CI/CD permissions
  permission read_build = reporter + developer + maintainer + owner + ci_job_token
  permission create_build = developer + maintainer + owner
  permission update_build = developer + maintainer + owner
  permission cancel_build = developer + maintainer + owner
  permission erase_build = maintainer + owner
  permission play_job = developer + maintainer + owner
  permission read_job_artifacts = reporter + developer + maintainer + owner + ci_job_token
  permission destroy_artifacts = maintainer + owner
  permission admin_build = maintainer + owner
  permission create_pipeline = developer + maintainer + owner + ci_job_token
  permission create_bot_pipeline = developer + maintainer + owner
  permission read_pipeline = guest + reporter + developer + maintainer + owner
  permission update_pipeline = developer + maintainer + owner
  permission cancel_pipeline = developer + maintainer + owner
  permission destroy_pipeline = owner
  permission admin_pipeline = maintainer + owner
  permission read_pipeline_variable = developer + maintainer + owner
  permission set_pipeline_variables = developer + maintainer + owner
  permission read_pipeline_metadata = reporter + developer + maintainer + owner
  permission admin_cicd_variables = maintainer + owner + group->admin_cicd_variables
  permission change_restrict_user_defined_variables = owner

  // Pipeline schedule permissions
  permission create_pipeline_schedule = developer + maintainer + owner
  permission read_pipeline_schedule = reporter + developer + maintainer + owner
  permission update_pipeline_schedule = developer + maintainer + owner
  permission admin_pipeline_schedule = maintainer + owner
  permission play_pipeline_schedule = developer + maintainer + owner
  permission take_ownership_pipeline_schedule = developer + maintainer + owner
  permission read_pipeline_schedule_variables = developer + maintainer + owner
  permission read_ci_pipeline_schedules_plan_limit = reporter + developer + maintainer + owner

  // Commit status permissions
  permission create_commit_status = developer + maintainer + owner
  permission read_commit_status = reporter + developer + maintainer + owner
  permission update_commit_status = developer + maintainer + owner
  permission admin_commit_status = maintainer + owner

  // Issue permissions
  permission create_issue = guest + reporter + developer + maintainer + owner
  permission read_issue = guest + reporter + developer + maintainer + owner
  permission update_issue = reporter + developer + maintainer + owner
  permission admin_issue = reporter + developer + maintainer + owner
  permission destroy_issue = owner
  permission reopen_issue = reporter + developer + maintainer + owner
  permission set_issue_iid = owner
  permission set_issue_created_at = owner
  permission set_issue_updated_at = owner
  permission set_issue_metadata = reporter + developer + maintainer + owner
  permission set_issue_crm_contacts = reporter + developer + maintainer + owner
  permission set_confidentiality = reporter + developer + maintainer + owner
  permission read_issue_iid = guest + reporter + developer + maintainer + owner
  permission create_incident = reporter + developer + maintainer + owner
  permission import_issues = developer + maintainer + owner
  permission export_work_items = reporter + developer + maintainer + owner
  permission import_work_items = developer + maintainer + owner
  permission clone_issue = reporter + developer + maintainer + owner
  permission move_issue = reporter + developer + maintainer + owner
  permission promote_to_epic = reporter + developer + maintainer + owner
  permission read_confidential_issues = reporter + developer + maintainer + owner
  permission mark_issue_for_publication = maintainer + owner

  // Work item permissions
  permission create_work_item = guest + reporter + developer + maintainer + owner
  permission read_work_item = guest + reporter + developer + maintainer + owner
  permission update_work_item = reporter + developer + maintainer + owner
  permission admin_work_item = reporter + developer + maintainer + owner
  permission delete_work_item = owner
  permission clone_work_item = reporter + developer + maintainer + owner
  permission move_work_item = reporter + developer + maintainer + owner
  permission set_work_item_metadata = reporter + developer + maintainer + owner
  permission admin_work_item_link = maintainer + owner
  permission admin_parent_link = maintainer + owner
  permission read_work_item_type = guest + reporter + developer + maintainer + owner
  permission read_work_item_status = guest + reporter + developer + maintainer + owner
  permission create_task = guest + reporter + developer + maintainer + owner
  permission create_key_result = developer + maintainer + owner
  permission create_objective = developer + maintainer + owner

  // Issue board permissions
  permission admin_issue_board = reporter + developer + maintainer + owner
  permission read_issue_board = guest + reporter + developer + maintainer + owner
  permission admin_issue_board_list = reporter + developer + maintainer + owner
  permission read_issue_board_list = guest + reporter + developer + maintainer + owner
  permission create_non_backlog_issues = reporter + developer + maintainer + owner

  // Issue link permissions
  permission admin_issue_link = reporter + developer + maintainer + owner
  permission read_issue_link = guest + reporter + developer + maintainer + owner
  permission admin_issue_relation = reporter + developer + maintainer + owner
  permission create_external_issue_link = developer + maintainer + owner

  // Merge request permissions
  permission create_merge_request_from = developer + maintainer + owner
  permission create_merge_request_in = developer + maintainer + owner
  permission read_merge_request = guest + reporter + developer + maintainer + owner
  permission update_merge_request = developer + maintainer + owner
  permission admin_merge_request = developer + maintainer + owner
  permission accept_merge_request = maintainer + owner
  permission approve_merge_request = developer + maintainer + owner
  permission destroy_merge_request = owner
  permission reopen_merge_request = developer + maintainer + owner
  permission read_merge_request_iid = guest + reporter + developer + maintainer + owner
  permission set_merge_request_metadata = developer + maintainer + owner
  permission create_merge_request_approval_rules = maintainer + owner
  permission update_approvers = maintainer + owner
  permission admin_merge_request_approval_settings = owner
  permission reset_merge_request_approvals = maintainer + owner
  permission modify_approvers_rules = owner
  permission modify_merge_request_author_setting = owner
  permission modify_merge_request_committer_setting = owner
  permission manage_merge_request_settings = owner
  permission read_approval_rule = reporter + developer + maintainer + owner
  permission update_approval_rule = maintainer + owner
  permission edit_approval_rule = maintainer + owner
  permission read_approvers = reporter + developer + maintainer + owner
  permission read_merge_request_closing_issue = guest + reporter + developer + maintainer + owner
  permission read_merge_train = reporter + developer + maintainer + owner
  permission read_merge_train_car = reporter + developer + maintainer + owner
  permission delete_merge_train_car = maintainer + owner

  // Design permissions
  permission create_design = reporter + developer + maintainer + owner
  permission read_design = guest + reporter + developer + maintainer + owner
  permission update_design = developer + maintainer + owner
  permission destroy_design = developer + maintainer + owner
  permission move_design = developer + maintainer + owner
  permission read_design_activity = guest + reporter + developer + maintainer + owner

  // Container and package permissions
  permission read_container_image = reporter + developer + maintainer + owner + ci_job_token
  permission create_container_image = developer + maintainer + owner
  permission update_container_image = developer + maintainer + owner
  permission admin_container_image = maintainer + owner
  permission destroy_container_image = maintainer + owner
  permission destroy_container_image_tag = maintainer + owner
  permission build_read_container_image = guest + ci_job_token
  permission create_container_registry_protection_immutable_tag_rule = owner
  permission destroy_container_registry_protection_tag_rule = developer + maintainer + owner
  permission enable_container_scanning_for_registry = owner
  permission read_package = reporter + developer + maintainer + owner
  permission create_package = developer + maintainer + owner
  permission destroy_package = maintainer + owner
  permission admin_package = maintainer + owner
  permission read_package_within_public_registries = guest + reporter + developer + maintainer + owner
  permission view_package_registry_project_settings = reporter + developer + maintainer + owner

  // Deploy token permissions
  permission create_deploy_token = maintainer + owner
  permission read_deploy_token = maintainer + owner
  permission destroy_deploy_token = maintainer + owner
  permission update_deploy_token = maintainer + owner
  permission manage_deploy_tokens = maintainer + owner

  // Environment and deployment permissions
  permission create_environment = developer + maintainer + owner
  permission read_environment = reporter + developer + maintainer + owner
  permission update_environment = developer + maintainer + owner
  permission admin_environment = maintainer + owner
  permission destroy_environment = developer + maintainer + owner
  permission stop_environment = developer + maintainer + owner
  permission create_environment_terminal = maintainer + owner
  permission create_deployment = developer + maintainer + owner
  permission read_deployment = reporter + developer + maintainer + owner
  permission update_deployment = developer + maintainer + owner
  permission admin_deployment = maintainer + owner
  permission destroy_deployment = maintainer + owner
  permission approve_deployment = maintainer + owner
  permission admin_protected_environments = owner
  permission read_freeze_period = reporter + developer + maintainer + owner
  permission create_freeze_period = maintainer + owner
  permission update_freeze_period = maintainer + owner
  permission destroy_freeze_period = maintainer + owner

  // Feature flag permissions
  permission create_feature_flag = developer + maintainer + owner
  permission read_feature_flag = reporter + developer + maintainer + owner
  permission update_feature_flag = developer + maintainer + owner
  permission admin_feature_flag = maintainer + owner
  permission destroy_feature_flag = developer + maintainer + owner
  permission admin_feature_flags_client = maintainer + owner
  permission admin_feature_flags_user_lists = maintainer + owner
  permission admin_feature_flags_issue_links = maintainer + owner

  // Security and vulnerability permissions
  permission read_vulnerability = reporter + developer + maintainer + owner
  permission admin_vulnerability = developer + maintainer + owner + group->admin_vulnerability
  permission create_vulnerability_feedback = developer + maintainer + owner
  permission read_vulnerability_feedback = reporter + developer + maintainer + owner
  permission update_vulnerability_feedback = developer + maintainer + owner
  permission destroy_vulnerability_feedback = developer + maintainer + owner
  permission read_vulnerability_scanner = reporter + developer + maintainer + owner
  permission read_vulnerability_merge_request_link = reporter + developer + maintainer + owner
  permission admin_vulnerability_merge_request_link = developer + maintainer + owner
  permission admin_vulnerability_issue_link = developer + maintainer + owner
  permission admin_vulnerability_external_issue_link = developer + maintainer + owner
  permission create_vulnerability_export = developer + maintainer + owner
  permission read_vulnerability_export = developer + maintainer + owner
  permission create_vulnerability_archive_export = developer + maintainer + owner
  permission read_vulnerability_archive_export = developer + maintainer + owner
  permission create_vulnerability_state_transition = developer + maintainer + owner
  permission read_vulnerability_representation_information = reporter + developer + maintainer + owner
  permission resolve_vulnerability_with_ai = developer + maintainer + owner
  permission read_vulnerability_statistics = reporter + developer + maintainer + owner

  // Security scanning permissions
  permission access_security_and_compliance = developer + maintainer + owner
  permission access_security_scans_api = developer + maintainer + owner
  permission read_security_dashboard = reporter + developer + maintainer + owner
  permission read_project_security_dashboard = reporter + developer + maintainer + owner
  permission add_project_to_instance_security_dashboard = owner
  permission read_instance_security_dashboard = owner
  permission read_security_configuration = developer + maintainer + owner
  permission read_security_orchestration_policies = developer + maintainer + owner
  permission read_security_orchestration_policy_project = developer + maintainer + owner
  permission update_security_orchestration_policy_project = owner
  permission modify_security_policy = owner
  permission admin_security_testing = owner
  permission manage_security_settings = owner
  permission read_security_settings = reporter + developer + maintainer + owner
  permission read_security_inventory = developer + maintainer + owner
  permission read_security_resource = developer + maintainer + owner
  permission read_project_security_exclusions = developer + maintainer + owner
  permission manage_project_security_exclusions = owner
  permission enable_continuous_vulnerability_scans = owner
  permission configure_secret_detection_validity_checks = owner
  permission read_secret_detection_validity_checks_status = developer + maintainer + owner
  permission read_secret_push_protection_info = developer + maintainer + owner
  permission enable_secret_push_protection = owner
  permission read_coverage_fuzzing = developer + maintainer + owner
  permission create_coverage_fuzzing_corpus = developer + maintainer + owner

  // Release permissions
  permission create_release = developer + maintainer + owner
  permission read_release = guest + reporter + developer + maintainer + owner
  permission update_release = developer + maintainer + owner
  permission destroy_release = maintainer + owner
  permission read_release_evidence = guest + reporter + developer + maintainer + owner

  // Runner permissions
  permission admin_runner = owner + group->admin_runner
  permission read_runner = reporter + developer + maintainer + owner
  permission update_runner = owner
  permission delete_runner = owner
  permission assign_runner = maintainer + owner
  permission create_runner = maintainer + owner
  permission register_project_runners = maintainer + owner
  permission admin_project_runners = maintainer + owner
  permission read_project_runners = reporter + developer + maintainer + owner
  permission read_runners_registration_token = maintainer + owner
  permission update_runners_registration_token = maintainer + owner
  permission read_runner_usage = owner
  permission read_runner_cloud_provisioning_info = owner
  permission read_runner_gke_provisioning_info = owner
  permission provision_cloud_runner = owner
  permission provision_gke_runner = owner

  // Pages permissions
  permission admin_pages = maintainer + owner
  permission read_pages = maintainer + owner
  permission update_pages = maintainer + owner
  permission remove_pages = maintainer + owner
  permission read_pages_content = guest + reporter + developer + maintainer + owner
  permission read_pages_deployments = reporter + developer + maintainer + owner
  permission update_pages_deployments = maintainer + owner
  permission pages_multiple_versions = maintainer + owner

  // Terraform state permissions
  permission read_terraform_state = developer + maintainer + owner
  permission admin_terraform_state = maintainer + owner

  // Analytics permissions
  permission read_analytics = reporter + developer + maintainer + owner
  permission read_insights = reporter + developer + maintainer + owner
  permission read_ci_cd_analytics = reporter + developer + maintainer + owner
  permission read_code_review_analytics = reporter + developer + maintainer + owner
  permission read_issue_analytics = reporter + developer + maintainer + owner
  permission read_project_merge_request_analytics = reporter + developer + maintainer + owner
  permission read_combined_project_analytics_dashboards = reporter + developer + maintainer + owner
  permission read_project_level_value_stream_dashboard_overview_counts = reporter + developer + maintainer + owner
  permission view_productivity_analytics = reporter + developer + maintainer + owner
  permission read_cycle_analytics = reporter + developer + maintainer + owner
  permission read_repository_graphs = reporter + developer + maintainer + owner
  permission read_statistics = reporter + developer + maintainer + owner
  permission daily_statistics = reporter + developer + maintainer + owner
  permission read_build_report_results = reporter + developer + maintainer + owner
  permission use_project_statistics_filters = reporter + developer + maintainer + owner
  permission admin_value_stream = owner

  // AI/Duo permissions
  permission access_duo_features = developer + maintainer + owner + group->access_duo_features
  permission access_duo_chat = developer + maintainer + owner
  permission access_ai_review_mr = developer + maintainer + owner
  permission access_duo_agentic_chat = developer + maintainer + owner
  permission access_duo_core_features = developer + maintainer + owner
  permission access_description_composer = developer + maintainer + owner
  permission access_summarize_new_merge_request = developer + maintainer + owner
  permission access_summarize_review = developer + maintainer + owner
  permission access_generate_commit_message = developer + maintainer + owner
  permission duo_workflow = developer + maintainer + owner
  permission trigger_amazon_q = developer + maintainer + owner
  permission generate_description = developer + maintainer + owner
  permission generate_cube_query = developer + maintainer + owner
  permission read_ai_agents = reporter + developer + maintainer + owner
  permission write_ai_agents = developer + maintainer + owner

  // Model registry permissions (ML)
  permission read_model_experiments = reporter + developer + maintainer + owner
  permission write_model_experiments = developer + maintainer + owner
  permission read_model_registry = reporter + developer + maintainer + owner
  permission write_model_registry = developer + maintainer + owner

  // Observability permissions
  permission read_observability = reporter + developer + maintainer + owner
  permission write_observability = developer + maintainer + owner

  // Compliance permissions
  permission admin_compliance_framework = owner + group->admin_compliance_framework
  permission read_compliance_framework = reporter + developer + maintainer + owner
  permission read_compliance_dashboard = reporter + developer + maintainer + owner
  permission read_compliance_adherence_report = developer + maintainer + owner
  permission read_compliance_violations_report = developer + maintainer + owner
  permission read_project_audit_events = owner

  // Member and access permissions
  permission admin_project_member = maintainer + owner
  permission read_project_member = guest + reporter + developer + maintainer + owner
  permission update_project_member = maintainer + owner
  permission destroy_project_member = owner
  permission destroy_project_bot_member = owner
  permission invite_member = maintainer + owner
  permission invite_project_members = maintainer + owner
  permission import_project_members_from_another_project = maintainer + owner
  permission admin_member_access_request = maintainer + owner
  permission read_member_access_request = guest + reporter + developer + maintainer + owner
  permission withdraw_member_access_request = guest + reporter + developer + maintainer + owner
  permission override_group_member = owner
  permission destroy_group_member = owner
  permission destroy_project_group_link = owner
  permission manage_group_link_with_owner_access = owner
  permission read_shared_with_group = guest + reporter + developer + maintainer + owner

  // Note and comment permissions
  permission create_note = guest + reporter + developer + maintainer + owner
  permission read_note = guest + reporter + developer + maintainer + owner
  permission update_note = guest + reporter + developer + maintainer + owner
  permission admin_note = maintainer + owner
  permission resolve_note = developer + maintainer + owner
  permission reposition_note = developer + maintainer + owner
  permission mark_note_as_internal = reporter + developer + maintainer + owner
  permission set_note_created_at = owner
  permission read_internal_note = reporter + developer + maintainer + owner
  permission award_emoji = guest + reporter + developer + maintainer + owner
  permission summarize_comments = developer + maintainer + owner
  permission measure_comment_temperature = developer + maintainer + owner

  // Webhook permissions
  permission admin_web_hook = owner
  permission read_web_hook = maintainer + owner

  // Upload permissions
  permission upload_file = guest + reporter + developer + maintainer + owner
  permission read_upload = guest + reporter + developer + maintainer + owner
  permission destroy_upload = maintainer + owner
  permission admin_upload = owner

  // Project settings permissions
  permission admin_project_aws = owner
  permission admin_project_google_cloud = owner
  permission admin_project_secrets_manager = owner
  permission admin_google_cloud_artifact_registry = owner
  permission read_google_cloud_artifact_registry = reporter + developer + maintainer + owner
  permission update_max_artifacts_size = owner
  permission set_pipeline_variables = developer + maintainer + owner
  permission change_commit_committer_check = owner
  permission change_commit_committer_name_check = owner
  permission read_commit_committer_check = reporter + developer + maintainer + owner
  permission read_commit_committer_name_check = reporter + developer + maintainer + owner
  permission change_push_rules = owner
  permission admin_push_rules = owner
  permission change_reject_unsigned_commits = owner
  permission change_reject_non_dco_commits = owner
  permission read_reject_unsigned_commits = reporter + developer + maintainer + owner
  permission read_reject_non_dco_commits = reporter + developer + maintainer + owner

  // Integration permissions
  permission admin_integrations = maintainer + owner
  permission create_jira_connect_subscription = owner
  permission admin_operations = maintainer + owner
  permission admin_sentry = maintainer + owner
  permission read_sentry_issue = reporter + developer + maintainer + owner
  permission update_sentry_issue = developer + maintainer + owner

  // Misc permissions
  permission add_catalog_resource = owner
  permission publish_catalog_version = developer + maintainer + owner
  permission read_namespace_catalog = guest + reporter + developer + maintainer + owner
  permission create_project = developer + maintainer + owner
  permission request_access = guest
  permission read_project_metadata = guest + reporter + developer + maintainer + owner
  permission view_edit_page = developer + maintainer + owner
  permission metrics_dashboard = reporter + developer + maintainer + owner
  permission read_operations_dashboard = owner
  permission use_k = developer + maintainer + owner
  permission use_quick_actions = guest + reporter + developer + maintainer + owner
  permission use_slash_commands = guest + reporter + developer + maintainer + owner
  permission create_timelog = reporter + developer + maintainer + owner
  permission admin_timelog = owner
  permission read_timelog_category = guest + reporter + developer + maintainer + owner
  permission create_todo = guest + reporter + developer + maintainer + owner
  permission update_todo = guest + reporter + developer + maintainer + owner
  permission read_todo = guest + reporter + developer + maintainer + owner
  permission update_subscription = guest + reporter + developer + maintainer + owner
  permission delete_project_subscription = owner
  permission report_spam = guest + reporter + developer + maintainer + owner
  permission read_issuable = guest + reporter + developer + maintainer + owner
  permission read_issuable_participables = guest + reporter + developer + maintainer + owner
  permission read_issuable_resource_link = guest + reporter + developer + maintainer + owner
  permission admin_issuable_resource_link = developer + maintainer + owner
  permission read_issuable_metric_image = reporter + developer + maintainer + owner
  permission update_issuable_metric_image = developer + maintainer + owner
  permission upload_issuable_metric_image = developer + maintainer + owner
  permission destroy_issuable_metric_image = developer + maintainer + owner
  permission read_incident_management_timeline_event = reporter + developer + maintainer + owner
  permission admin_incident_management_timeline_event = developer + maintainer + owner
  permission edit_incident_management_timeline_event = developer + maintainer + owner
  permission read_incident_management_timeline_event_tag = reporter + developer + maintainer + owner
  permission admin_incident_management_timeline_event_tag = maintainer + owner
  permission read_incident_management_escalation_policy = reporter + developer + maintainer + owner
  permission admin_incident_management_escalation_policy = maintainer + owner
  permission read_incident_management_oncall_schedule = reporter + developer + maintainer + owner
  permission admin_incident_management_oncall_schedule = maintainer + owner
  permission update_escalation_status = developer + maintainer + owner
  permission read_alert_management_alert = reporter + developer + maintainer + owner
  permission update_alert_management_alert = developer + maintainer + owner
  permission read_alert_management_metric_image = reporter + developer + maintainer + owner
  permission update_alert_management_metric_image = developer + maintainer + owner
  permission upload_alert_management_metric_image = developer + maintainer + owner
  permission destroy_alert_management_metric_image = developer + maintainer + owner
  permission publish_status_page = developer + maintainer + owner
  permission rollover_issues = owner

  // Resource access token permissions
  permission read_resource_access_tokens = maintainer + owner
  permission create_resource_access_tokens = owner
  permission destroy_resource_access_tokens = owner
  permission manage_resource_access_tokens = owner
  permission admin_setting_to_allow_resource_access_token_creation = owner

  // Path lock permissions
  permission create_path_lock = developer + maintainer + owner
  permission read_path_locks = guest + reporter + developer + maintainer + owner
  permission admin_path_locks = maintainer + owner
  permission destroy_path_lock = developer + maintainer + owner

  // On-demand DAST scan permissions
  permission create_on_demand_dast_scan = developer + maintainer + owner
  permission read_on_demand_dast_scan = developer + maintainer + owner
  permission edit_on_demand_dast_scan = developer + maintainer + owner

  // Requirement permissions
  permission create_requirement = reporter + developer + maintainer + owner
  permission read_requirement = reporter + developer + maintainer + owner
  permission update_requirement = reporter + developer + maintainer + owner
  permission admin_requirement = maintainer + owner
  permission destroy_requirement = maintainer + owner
  permission import_requirements = developer + maintainer + owner
  permission export_requirements = reporter + developer + maintainer + owner
  permission create_requirement_test_report = reporter + developer + maintainer + owner

  // Test case permissions
  permission create_test_case = reporter + developer + maintainer + owner

  // Secure file permissions
  permission read_secure_files = developer + maintainer + owner
  permission admin_secure_files = maintainer + owner

  // License policy permissions
  permission read_software_license_policy = reporter + developer + maintainer + owner
  permission admin_software_license_policy = maintainer + owner

  // Mirror permissions
  permission admin_mirror = owner
  permission admin_remote_mirror = owner

  // Trigger permissions
  permission admin_trigger = owner
  permission manage_trigger = owner

  // Cluster permissions
  permission read_cluster = reporter + developer + maintainer + owner
  permission add_cluster = maintainer + owner
  permission create_cluster = maintainer + owner
  permission update_cluster = maintainer + owner
  permission admin_cluster = owner
  permission read_cluster_agent = reporter + developer + maintainer + owner
  permission read_cluster_environments = reporter + developer + maintainer + owner

  // Prometheus and monitoring permissions
  permission read_prometheus = reporter + developer + maintainer + owner
  permission read_grafana = reporter + developer + maintainer + owner
  permission read_pod_logs = developer + maintainer + owner

  // Harbor registry permissions
  permission read_harbor_registry = reporter + developer + maintainer + owner

  // Build service proxy permissions
  permission build_service_proxy_enabled = developer + maintainer + owner
  permission create_build_service_proxy = developer + maintainer + owner

  // Web IDE permissions
  permission create_web_ide_terminal = developer + maintainer + owner
  permission read_web_ide_terminal = developer + maintainer + owner
  permission update_web_ide_terminal = developer + maintainer + owner

  // Resource group permissions
  permission read_resource_group = reporter + developer + maintainer + owner
  permission update_resource_group = developer + maintainer + owner

  // Deploy board permissions
  permission read_deploy_board = reporter + developer + maintainer + owner

  // External email permissions
  permission read_external_emails = reporter + developer + maintainer + owner

  // Import/Export permissions
  permission read_import_error = owner
  permission export_work_items = reporter + developer + maintainer + owner
  permission import_work_items = developer + maintainer + owner

  // Saved replies permissions
  permission create_saved_replies = developer + maintainer + owner
  permission read_saved_replies = guest + reporter + developer + maintainer + owner
  permission update_saved_replies = developer + maintainer + owner
  permission destroy_saved_replies = developer + maintainer + owner

  // Other permissions
  permission cache_blob = guest + reporter + developer + maintainer + owner
  permission read_blob = guest + reporter + developer + maintainer + owner
  permission read_commit = guest + reporter + developer + maintainer + owner
  permission read_build_trace = developer + maintainer + owner
  permission read_build_metadata = developer + maintainer + owner
  permission jailbreak = owner
  permission build_read_container_image = guest + ci_job_token
  permission apply_suggestion = developer + maintainer + owner
  permission read_project_subscription = guest + reporter + developer + maintainer + owner
  permission read_storage_disk_path = owner
  permission read_dora = reporter + developer + maintainer + owner
  permission read_product_analytics = reporter + developer + maintainer + owner
  permission modify_product_analytics_settings = owner
  permission read_counts = reporter + developer + maintainer + owner
  permission read_dependency = guest + reporter + developer + maintainer + owner
  permission read_lifecycle = reporter + developer + maintainer + owner
  permission read_usage_quotas = owner
  permission read_limit_alert = owner
  permission read_licenses = owner
  permission read_scan = developer + maintainer + owner
  permission read_event = guest + reporter + developer + maintainer + owner
  permission read_parent = guest + reporter + developer + maintainer + owner
  permission read_namespace = guest + reporter + developer + maintainer + owner
  permission read_namespace_via_membership = guest + reporter + developer + maintainer + owner
  permission read_nested_project_resources = guest + reporter + developer + maintainer + owner
  permission view_globally = guest + reporter + developer + maintainer + owner
  permission receive_notifications = guest + reporter + developer + maintainer + owner
  permission read_enterprise_ai_analytics = reporter + developer + maintainer + owner
  permission read_pro_ai_analytics = reporter + developer + maintainer + owner
  permission read_component = guest + reporter + developer + maintainer + owner
  permission read_component_version = guest + reporter + developer + maintainer + owner
  permission read_application_setting = owner
  permission read_resource_state_event = guest + reporter + developer + maintainer + owner
  permission read_resource_weight_event = guest + reporter + developer + maintainer + owner
  permission read_resource_iteration_event = guest + reporter + developer + maintainer + owner
  permission read_resource_milestone_event = guest + reporter + developer + maintainer + owner
  permission read_resource_label_event = guest + reporter + developer + maintainer + owner
  permission read_deploy_key = maintainer + owner
  permission update_deploy_key = maintainer + owner
  permission update_deploy_key_title = maintainer + owner
  permission update_deploy_keys_project = maintainer + owner
  permission read_custom_emoji = guest + reporter + developer + maintainer + owner
  permission create_custom_emoji = developer + maintainer + owner
  permission delete_custom_emoji = owner
  permission read_external_status_check = reporter + developer + maintainer + owner
  permission read_external_status_check_response = developer + maintainer + owner
  permission provide_status_check_response = developer + maintainer + owner
  permission retry_failed_status_checks = developer + maintainer + owner
  permission read_jobs_statistics = reporter + developer + maintainer + owner
  permission read_finding_token_status = developer + maintainer + owner
  permission read_ci_minutes_limited_summary = reporter + developer + maintainer + owner
  permission admin_ci_minutes = owner
  permission create_build_terminal = developer + maintainer + owner
  permission read_builds = reporter + developer + maintainer + owner
  permission read_user_achievement = guest + reporter + developer + maintainer + owner
  permission destroy_user_achievement = owner
  permission read_abuse_report = owner
  permission read_emoji = guest + reporter + developer + maintainer + owner
  permission read_dependency_list_export = developer + maintainer + owner
  permission create_workspace = developer + maintainer + owner
  permission read_workspace = developer + maintainer + owner
  permission update_workspace = developer + maintainer + owner
  permission read_workspace_variable = developer + maintainer + owner
  permission read_workspaces_agent_config = developer + maintainer + owner
  permission access_workspaces_feature = developer + maintainer + owner
  permission modify_value_stream_dashboard_settings = owner
  permission read_achievement = guest + reporter + developer + maintainer + owner
  permission award_achievement = owner
  permission admin_achievement = owner
  permission read_all_workspaces = owner
  permission read_crm_contact = reporter + developer + maintainer + owner
  permission read_crm_contacts = reporter + developer + maintainer + owner
  permission set_issue_crm_contacts = reporter + developer + maintainer + owner
  permission admin_crm_contact = reporter + developer + maintainer + owner
  permission read_crm_organization = reporter + developer + maintainer + owner
  permission admin_crm_organization = reporter + developer + maintainer + owner
  permission read_custom_field = guest + reporter + developer + maintainer + owner
  permission admin_custom_field = owner
  permission read_confidential_epic = reporter + developer + maintainer + owner
  permission read_epic_iid = guest + reporter + developer + maintainer + owner
  permission read_epic_relation = guest + reporter + developer + maintainer + owner
  permission read_epic_link_relation = guest + reporter + developer + maintainer + owner
  permission admin_epic_relation = developer + maintainer + owner
  permission admin_epic_link_relation = developer + maintainer + owner
  permission admin_epic_tree_relation = developer + maintainer + owner
  permission read_duo_workflow_event = developer + maintainer + owner
  permission read_geo_node = owner
  permission read_geo_registry = owner
  permission read_all_geo = owner
  permission read_virtual_registry = guest + reporter + developer + maintainer + owner
  permission read_application_statistics = owner
  permission read_instance_metadata = owner
  permission read_cloud_connector_status = owner
  permission read_usage_trends_measurement = owner
  permission read_billable_member = owner
  permission read_billing = owner
  permission edit_billing = owner
  permission start_trial = owner
  permission read_licensed_seat = owner
  permission admin_licensed_seat = owner
  permission read_member_role = guest + reporter + developer + maintainer + owner
  permission admin_member_role = owner
  permission view_member_roles = guest + reporter + developer + maintainer + owner
  permission link = guest + reporter + developer + maintainer + owner
  permission unlink = guest + reporter + developer + maintainer + owner
  permission sign_in_with_saml_provider = guest + reporter + developer + maintainer + owner
  permission read_saml_user = owner
  permission read_group_saml_identity = owner
  permission log_in = guest + reporter + developer + maintainer + owner
  permission accept_terms = guest + reporter + developer + maintainer + owner
  permission decline_terms = guest + reporter + developer + maintainer + owner
  permission access_admin_area = owner
  permission access_api = guest + reporter + developer + maintainer + owner
  permission access_git = guest + reporter + developer + maintainer + owner
  permission access_x_ray_on_instance = owner
  permission access_advanced_vulnerability_management = developer + maintainer + owner
  permission access_code_suggestions = developer + maintainer + owner
  permission access_glab_ask_git_command = developer + maintainer + owner
  permission execute_graphql_mutation = guest + reporter + developer + maintainer + owner
  permission receive_notifications = guest + reporter + developer + maintainer + owner
  permission approve_user = owner
  permission reject_user = owner
  permission block_pipl_user = owner
  permission delete_pipl_user = owner
  permission view_instance_devops_adoption = owner
  permission manage_devops_adoption_namespaces = owner
  permission read_admin_role = owner
  permission create_admin_role = owner
  permission update_admin_role = owner
  permission delete_admin_role = owner
  permission destroy_licenses = owner
  permission export_user_permissions = owner
  permission manage_subscription = owner
  permission manage_duo_core_settings = owner
  permission read_duo_core_settings = owner
  permission manage_self_hosted_models_settings = owner
  permission read_self_hosted_models_settings = owner
  permission manage_ldap_admin_links = owner
  permission read_runner_upgrade_status = owner
  permission read_custom_attribute = owner
  permission update_custom_attribute = owner
  permission read_users_list = owner
  permission read_admin_users = owner
  permission read_admin_subscription = owner
  permission read_admin_system_information = owner
  permission read_admin_health_check = owner
  permission read_admin_background_jobs = owner
  permission read_admin_background_migrations = owner
  permission read_admin_cicd = owner
  permission read_admin_gitaly_servers = owner
  permission read_admin_metrics_dashboard = owner
  permission create_instance_runner = owner
  permission update_max_pages_size = owner
  permission delete_merge_train_car = maintainer + owner
  permission provision_cloud_runner = owner
  permission provision_gke_runner = owner
  permission list_subgroup_epics = reporter + developer + maintainer + owner
  permission get_user_associations_count = guest + reporter + developer + maintainer + owner
  permission make_profile_private = guest + reporter + developer + maintainer + owner
  permission disable_two_factor = owner
  permission delete_conversation_thread = owner
  permission audit_event_definitions = owner
  permission delete_tag = maintainer + owner
  permission update_deploy_token = maintainer + owner
  permission update_deploy_key = maintainer + owner
  permission update_deploy_key_title = maintainer + owner
  permission update_deploy_keys_project = maintainer + owner
  permission create_virtual_registry = owner
  permission update_virtual_registry = owner
  permission destroy_virtual_registry = owner
  permission admin_dependency_proxy_packages_settings = owner
  permission execute_duo_workflow_in_ci = developer + maintainer + owner
  permission link_forked_project = developer + maintainer + owner
  permission access_x_ray_on_instance = owner
  permission read_runner_manager = owner
  permission read_ephemeral_token = owner
  permission rotate_token = owner
  permission revoke_token = owner
  permission read_token = owner
  permission read_user_personal_access_tokens = owner
  permission create_user_personal_access_token = owner
  permission admin_user_email_address = owner
  permission read_user_email_address = owner
  permission read_user_groups = guest + reporter + developer + maintainer + owner
  permission read_user_membership_counts = guest + reporter + developer + maintainer + owner
  permission read_user_organizations = guest + reporter + developer + maintainer + owner
  permission read_user_preference = guest + reporter + developer + maintainer + owner
  permission read_user_profile = guest + reporter + developer + maintainer + owner
  permission update_name = guest + reporter + developer + maintainer + owner
  permission update_user = owner
  permission update_user_status = guest + reporter + developer + maintainer + owner
  permission destroy_user = owner
  permission update_user_achievement = owner
  permission update_owned_user_achievement = owner
  permission read_usage = owner
  permission view_type_of_work_charts = reporter + developer + maintainer + owner
  permission admin_import_source_user = owner
  permission create_group_with_default_branch_protection = owner
  permission create_group_via_api = owner
  permission update_escalation_status = developer + maintainer + owner
  permission view_package_registry_project_settings = reporter + developer + maintainer + owner
  permission admin_group_model_selection = owner
  permission edit_on_demand_dast_scan = developer + maintainer + owner
  permission edit_billing = owner
  permission edit_group_approval_rule = owner
  permission edit_approval_rule = maintainer + owner
  permission admin_software_license_policy = maintainer + owner
  permission read_software_license_policy = reporter + developer + maintainer + owner
  permission bulk_admin_epic = owner
}

definition user {
  relation organization_member: organization
  relation organization_owner: organization

  permission admin_user = user + organization_owner
  permission create_user_personal_access_token = user
  permission manage_user_personal_access_token = user
  permission read_user = user + organization_member + organization_owner
  
  // Additional user permissions
  permission read_user_profile = user
  permission read_user_preference = user
  permission read_user_email_address = user
  permission admin_user_email_address = user + organization_owner
  permission read_user_groups = user
  permission read_user_organizations = user
  permission read_user_membership_counts = user
  permission read_user_personal_access_tokens = user
  permission update_user = user
  permission update_user_status = user
  permission update_name = user
  permission destroy_user = user + organization_owner
  permission disable_two_factor = user + organization_owner
  permission make_profile_private = user
  permission get_user_associations_count = user
  permission create_saved_replies = user
  permission read_saved_replies = user
  permission update_saved_replies = user
  permission destroy_saved_replies = user
  permission create_snippet = user
  permission read_user_achievement = user
  permission update_user_achievement = user + organization_owner
  permission update_owned_user_achievement = user
  permission destroy_user_achievement = user + organization_owner
  permission receive_notifications = user
  permission log_in = user
  permission access_api = user
  permission access_git = user
  permission execute_graphql_mutation = user
  permission use_quick_actions = user
  permission use_slash_commands = user
  permission request_access = user
  permission export_user_permissions = organization_owner
}

// Wiki resource
definition wiki_page {
  relation project: project
  relation group: group
  relation author: user
  
  permission read_wiki_page = project->read_wiki + group->read_wiki
  permission create_note = project->create_note + group->create_note
  permission read_note = project->read_note + group->read_note
  permission update_subscription = project->guest_access + group->guest_access
}

// Snippet resource
definition snippet {
  relation project: project
  relation author: user
  relation namespace: user
  
  permission read_snippet = author + project->read_snippet
  permission admin_snippet = author + project->admin_snippet
  permission update_snippet = author + project->update_snippet
  permission cache_blob = author + project->guest_access
  permission create_note = author + project->create_note
  permission read_note = project->read_note
  permission award_emoji = project->guest_access
}

// Milestone resource
definition milestone {
  relation project: project
  relation group: group
  
  permission read_milestone = project->read_milestone + group->read_milestone
  permission admin_milestone = project->admin_milestone + group->admin_milestone
  permission read_resource_milestone_event = project->read_resource_milestone_event + group->read_resource_milestone_event
}

// Label resource
definition label {
  relation project: project
  relation group: group
  
  permission read_label = project->read_label + group->read_label
  permission admin_label = project->admin_label + group->admin_label
  permission read_resource_label_event = project->read_resource_label_event + group->read_resource_label_event
}

// Tag resource
definition tag {
  relation project: project
  relation creator: user
  
  permission delete_tag = project->delete_tag
  permission admin_tag = project->admin_tag
}

// Branch resource
definition branch {
  relation project: project
  
  permission create_branch_rule = project->create_branch_rule
  permission read_branch_rule = project->read_branch_rule
  permission update_branch_rule = project->update_branch_rule
  permission destroy_branch_rule = project->destroy_branch_rule
}

// Protected branch resource
definition protected_branch {
  relation project: project
  
  permission create_protected_branch = project->create_protected_branch
  permission read_protected_branch = project->read_protected_branch
  permission update_protected_branch = project->update_protected_branch
  permission destroy_protected_branch = project->destroy_protected_branch
  permission admin_protected_branch = project->admin_protected_branch
}

// Protected tag resource
definition protected_tag {
  relation project: project
  
  permission create_protected_tags = project->create_protected_tags
  permission read_protected_tags = project->read_protected_tags
  permission update_protected_tags = project->update_protected_tags
  permission destroy_protected_tags = project->destroy_protected_tags
  permission manage_protected_tags = project->manage_protected_tags
}

// Pipeline schedule resource
definition pipeline_schedule {
  relation project: project
  relation owner: user
  
  permission read_pipeline_schedule = project->read_pipeline_schedule
  permission update_pipeline_schedule = owner + project->update_pipeline_schedule
  permission admin_pipeline_schedule = project->admin_pipeline_schedule
  permission play_pipeline_schedule = owner + project->play_pipeline_schedule
  permission take_ownership_pipeline_schedule = project->take_ownership_pipeline_schedule
  permission read_pipeline_schedule_variables = project->read_pipeline_schedule_variables
}

// Feature flag resource
definition feature_flag {
  relation project: project
  
  permission create_feature_flag = project->create_feature_flag
  permission read_feature_flag = project->read_feature_flag
  permission update_feature_flag = project->update_feature_flag
  permission admin_feature_flag = project->admin_feature_flag
  permission destroy_feature_flag = project->destroy_feature_flag
  permission admin_feature_flags_client = project->admin_feature_flags_client
  permission admin_feature_flags_user_lists = project->admin_feature_flags_user_lists
  permission admin_feature_flags_issue_links = project->admin_feature_flags_issue_links
}

// Alert management resource
definition alert {
  relation project: project
  
  permission read_alert_management_alert = project->read_alert_management_alert
  permission update_alert_management_alert = project->update_alert_management_alert
  permission read_alert_management_metric_image = project->read_alert_management_metric_image
  permission update_alert_management_metric_image = project->update_alert_management_metric_image
  permission upload_alert_management_metric_image = project->upload_alert_management_metric_image
  permission destroy_alert_management_metric_image = project->destroy_alert_management_metric_image
}

// Incident management resource
definition incident {
  relation project: project
  
  permission read_incident_management_timeline_event = project->read_incident_management_timeline_event
  permission admin_incident_management_timeline_event = project->admin_incident_management_timeline_event
  permission edit_incident_management_timeline_event = project->edit_incident_management_timeline_event
  permission read_incident_management_timeline_event_tag = project->read_incident_management_timeline_event_tag
  permission admin_incident_management_timeline_event_tag = project->admin_incident_management_timeline_event_tag
  permission read_incident_management_escalation_policy = project->read_incident_management_escalation_policy
  permission admin_incident_management_escalation_policy = project->admin_incident_management_escalation_policy
  permission read_incident_management_oncall_schedule = project->read_incident_management_oncall_schedule
  permission admin_incident_management_oncall_schedule = project->admin_incident_management_oncall_schedule
  permission update_escalation_status = project->update_escalation_status
}

// On-demand DAST scan resource
definition on_demand_dast_scan {
  relation project: project
  
  permission create_on_demand_dast_scan = project->create_on_demand_dast_scan
  permission read_on_demand_dast_scan = project->read_on_demand_dast_scan
  permission edit_on_demand_dast_scan = project->edit_on_demand_dast_scan
}

// Requirement resource
definition requirement {
  relation project: project
  
  permission create_requirement = project->create_requirement
  permission read_requirement = project->read_requirement
  permission update_requirement = project->update_requirement
  permission admin_requirement = project->admin_requirement
  permission destroy_requirement = project->destroy_requirement
}

// Build resource
definition build {
  relation project: project
  relation pipeline: pipeline
  relation user: user
  
  permission read_build = project->read_build
  permission read_build_trace = project->read_build_trace
  permission read_build_metadata = project->read_build_metadata
  permission read_job_artifacts = project->read_job_artifacts
  permission update_build = project->update_build
  permission cancel_build = user + project->cancel_build
  permission erase_build = project->erase_build
  permission play_job = project->play_job
  permission create_build_terminal = project->create_build_terminal
  permission read_web_ide_terminal = project->read_web_ide_terminal
  permission update_web_ide_terminal = project->update_web_ide_terminal
  permission create_build_service_proxy = project->create_build_service_proxy
  permission update_commit_status = project->update_commit_status
}

// CI job resource (enhanced)
definition ci_job {
  relation pipeline: pipeline
  relation project: project
  relation runner: runner

  permission create_build = project->create_pipeline
  permission download_code = project->download_code
  permission read_build = project->read_build  
  permission read_container_image = project->read_container_image
  permission read_project = project->read_project
  permission read_ci_minutes_limited_summary = project->read_ci_minutes_limited_summary
  permission jailbreak = project->jailbreak
}

// Pipeline resource (enhanced)
definition pipeline {
  relation author: user
  relation ci_job_token: ci_job
  relation project: project

  permission admin_pipeline = project->admin_pipeline
  permission cancel_pipeline = project->developer + author
  permission read_pipeline = project->read_project
  permission update_pipeline = project->developer + author + ci_job_token
  permission destroy_pipeline = project->destroy_pipeline
  permission read_pipeline_metadata = project->read_pipeline_metadata
  permission read_pipeline_variable = project->read_pipeline_variable
}

// Runner resource (enhanced)
definition runner {
  relation group: group
  relation instance: organization
  relation organization: organization
  relation project: project

  permission admin_runner = project->admin_runner + group->admin_runner + organization->admin_organization
  permission assign_runner = project->maintainer + group->maintainer + organization->admin
  permission read_runner = project->read_project + group->read + organization->read
  permission update_runner = project->admin_runner + group->admin_runner + organization->admin
  permission delete_runner = project->admin_runner + group->admin_runner + organization->admin
  permission read_builds = project->read_build + group->developer + organization->admin
  permission read_ephemeral_token = project->admin_runner + group->admin_runner + organization->admin
}

// Issue resource (enhanced)
definition issue {
  relation assignee: user
  relation author: user
  relation epic: epic
  relation project: project

  permission admin_issue = project->admin_issue
  permission create_issue = project->create_issue
  permission promote_to_epic = project->reporter
  permission read_issue = project->read_project
  permission set_confidentiality = project->reporter
  permission update_issue = project->admin_issue + author + assignee
  permission reopen_issue = project->reopen_issue
  permission destroy_issue = project->destroy_issue
  permission clone_issue = project->clone_issue
  permission move_issue = project->move_issue
  permission set_issue_metadata = project->set_issue_metadata
  permission set_issue_crm_contacts = project->set_issue_crm_contacts
  permission set_issue_iid = project->set_issue_iid
  permission set_issue_created_at = project->set_issue_created_at
  permission set_issue_updated_at = project->set_issue_updated_at
  permission admin_issue_link = project->admin_issue_link
  permission read_issue_link = project->read_issue_link
  permission admin_issue_relation = project->admin_issue_relation
  permission create_note = project->create_note
  permission read_note = project->read_note
  permission admin_note = project->admin_note
  permission award_emoji = project->award_emoji
  permission create_todo = project->create_todo
  permission mark_note_as_internal = project->mark_note_as_internal
  permission read_crm_contacts = project->read_crm_contacts
  permission update_subscription = project->update_subscription
}

// Merge request resource (enhanced)
definition merge_request {
  relation assignee: user
  relation author: user
  relation project: project
  relation reviewer: user

  permission accept_merge_request = project->accept_merge_request
  permission admin_merge_request = project->developer + author
  permission approve_merge_request = project->approve_merge_request + reviewer
  permission create_merge_request_from = project->create_merge_request_from
  permission read_merge_request = project->read_project
  permission update_merge_request = project->update_merge_request
  permission destroy_merge_request = project->destroy_merge_request
  permission reopen_merge_request = project->reopen_merge_request
  permission set_merge_request_metadata = project->set_merge_request_metadata
  permission create_merge_request_approval_rules = project->create_merge_request_approval_rules
  permission update_approvers = project->update_approvers
  permission reset_merge_request_approvals = project->reset_merge_request_approvals
  permission create_todo = project->create_todo
  permission mark_note_as_internal = project->mark_note_as_internal
  permission update_subscription = project->update_subscription
  permission access_generate_commit_message = project->access_generate_commit_message
  permission access_summarize_review = project->access_summarize_review
  permission provide_status_check_response = project->provide_status_check_response
  permission read_external_status_check_response = project->read_external_status_check_response
  permission retry_failed_status_checks = project->retry_failed_status_checks
}

// Epic resource (enhanced)
definition epic {
  relation assignee: user
  relation author: user
  relation group: group

  permission admin_epic = group->admin_epic + author
  permission create_epic = group->reporter
  permission read_epic = group->read
  permission update_epic = group->admin_epic + author + assignee
  permission destroy_epic = group->owner
  permission set_epic_metadata = group->reporter
  permission set_epic_created_at = group->owner
  permission set_epic_updated_at = group->owner
  permission set_confidentiality = group->reporter
  permission admin_epic_relation = group->developer
  permission admin_epic_link_relation = group->developer
  permission admin_epic_tree_relation = group->developer
  permission create_epic_tree_relation = group->developer
  permission read_epic_iid = group->read
  permission read_epic_relation = group->read
  permission read_epic_link_relation = group->read
  permission create_note = group->create_note
  permission read_note = group->read_note
  permission admin_note = group->admin_note
  permission award_emoji = group->award_emoji
  permission create_todo = group->create_todo
  permission mark_note_as_internal = group->mark_note_as_internal
  permission measure_comment_temperature = group->measure_comment_temperature
  permission read_issuable = group->read
  permission read_issuable_participables = group->read
  permission resolve_note = group->developer
  permission summarize_comments = group->summarize_comments
}

// Work item resource (enhanced)
definition work_item {
  relation assignee: user
  relation author: user
  relation project: project

  permission admin_work_item = project->admin_issue
  permission create_work_item = project->create_issue
  permission read_work_item = project->read_project
  permission update_work_item = project->admin_issue + author + assignee
  permission delete_work_item = project->owner
  permission clone_work_item = project->clone_work_item
  permission move_work_item = project->move_work_item
  permission set_work_item_metadata = project->set_work_item_metadata
  permission admin_work_item_link = project->admin_work_item_link
  permission admin_parent_link = project->admin_parent_link
  permission report_spam = project->report_spam
}

// Vulnerability resource (enhanced)
definition vulnerability {
  relation author: user
  relation finding: finding
  relation project: project

  permission admin_vulnerability = project->admin_vulnerability
  permission create_vulnerability_feedback = project->create_vulnerability_feedback
  permission read_vulnerability = project->read_vulnerability
  permission read_vulnerability_representation_information = project->read_vulnerability_representation_information
  permission create_external_issue_link = project->create_external_issue_link
}

// Finding resource (enhanced)
definition finding {
  relation project: project
  relation scanner: scanner

  permission admin_finding = project->admin_vulnerability
  permission read_finding = project->read_vulnerability
  permission read_finding_token_status = project->read_finding_token_status
}

// Container repository resource (enhanced)
definition container_repository {
  relation group: group
  relation project: project

  permission admin_container_image = project->admin_container_image
  permission destroy_container_image = project->admin_container_image
  permission read_container_image = project->read_container_image + group->read_container_image
  permission create_container_image = project->create_container_image
  permission update_container_image = project->update_container_image
  permission destroy_container_image_tag = project->destroy_container_image_tag
}

// Package resource (enhanced)
definition package {
  relation group: group
  relation project: project

  permission admin_package = project->admin_package + group->admin_package
  permission create_package = project->developer
  permission destroy_package = project->admin_package
  permission read_package = project->read_package + group->read_package  
  permission read_package_within_public_registries = project->read_package_within_public_registries + group->read_package_within_public_registries
}

// Environment resource (enhanced)
definition environment {
  relation deployment: deployment
  relation project: project

  permission admin_environment = project->maintainer
  permission read_environment = project->read_project
  permission stop_environment = project->developer
  permission create_environment = project->create_environment
  permission update_environment = project->update_environment
  permission destroy_environment = project->destroy_environment
  permission create_environment_terminal = project->create_environment_terminal
}

// Deployment resource (enhanced)
definition deployment {
  relation author: user
  relation environment: environment
  relation project: project

  permission admin_deployment = project->maintainer
  permission approve_deployment = project->maintainer
  permission read_deployment = project->read_project
  permission create_deployment = project->create_deployment
  permission update_deployment = project->update_deployment
  permission destroy_deployment = project->destroy_deployment
  permission read_pages_deployments = project->read_pages_deployments
  permission update_pages_deployments = project->update_pages_deployments
}

// Member role resource (enhanced)
definition member_role {
  relation group: group
  relation organization: organization

  permission admin_member_role = group->owner + organization->admin
  permission read_member_role = group->read + organization->read
  permission delete_admin_role = organization->admin
  permission read_admin_role = organization->admin
  permission update_admin_role = organization->admin
}

// Compliance framework resource (enhanced)
definition compliance_framework {
  relation group: group
  relation organization: organization

  permission admin_compliance_framework = group->admin_compliance_framework + organization->admin_compliance_framework
  permission read_compliance_framework = group->read + organization->read
  permission admin_compliance_pipeline_configuration = group->admin_compliance_pipeline_configuration
}

// Audit event resource (enhanced)
definition audit_event {
  relation group: group
  relation project: project
  relation organization: organization

  permission admin_external_audit_events = group->owner + organization->admin_external_audit_events
  permission read_audit_event = group->owner + project->owner + organization->admin
  permission read_admin_audit_log = organization->admin
  permission admin_instance_external_audit_events = organization->admin
  permission audit_event_definitions = organization->admin
}

// Deploy token resource (enhanced)
definition deploy_token {
  relation project: project
  relation group: group

  permission read_registry = project->read_container_image + group->read_container_image
  permission read_repository = project->read_code + group->read_code
  permission write_registry = project->developer + group->developer
  permission create_deploy_token = project->create_deploy_token + group->create_deploy_token
  permission update_deploy_token = project->update_deploy_token + group->manage_deploy_tokens
}

// Personal access token resource (enhanced)
definition personal_access_token {
  relation user: user
  relation organization: organization

  permission admin_token = user->user + organization->admin
  permission use_token = user->user + organization->member
  permission read_token = user->user
  permission revoke_token = user->user + organization->admin
  permission rotate_token = user->user
}

// Scanner resource (enhanced)
definition scanner {
  relation project: project
  relation group: group

  permission admin_scanner = project->admin_vulnerability + group->admin_vulnerability
  permission read_scanner = project->read_project + group->read
  permission read_scan = project->read_scan
}

// Note resource
definition note {
  relation project: project
  relation group: group
  relation author: user
  relation noteable_issue: issue
  relation noteable_merge_request: merge_request
  relation noteable_epic: epic
  
  permission read_note = project->read_note + group->read_note + author
  permission admin_note = project->admin_note + group->admin_note + author
  permission update_note = author + project->admin_note + group->admin_note
  permission resolve_note = project->resolve_note + group->resolve_note
  permission reposition_note = project->reposition_note + group->reposition_note
  permission mark_note_as_internal = project->mark_note_as_internal + group->mark_note_as_internal
  permission award_emoji = project->award_emoji + group->award_emoji
}

// Todo resource
definition todo {
  relation user: user
  relation project: project
  relation group: group
  
  permission read_todo = user
  permission update_todo = user
}

// Timelog resource
definition timelog {
  relation project: project
  relation group: group
  relation user: user
  
  permission admin_timelog = project->admin_timelog + group->admin_timelog
  permission create_timelog = project->create_timelog + group->create_timelog
}

// Custom emoji resource
definition custom_emoji {
  relation group: group
  relation creator: user
  
  permission read_custom_emoji = group->read_custom_emoji
  permission delete_custom_emoji = group->delete_custom_emoji + creator
}

// Saved reply resource
definition saved_reply {
  relation user: user
  relation project: project
  relation group: group
  
  permission create_saved_replies = user + project->create_saved_replies + group->create_saved_replies
  permission read_saved_replies = user + project->read_saved_replies + group->read_saved_replies
  permission update_saved_replies = user + project->update_saved_replies + group->update_saved_replies
  permission destroy_saved_replies = user + project->destroy_saved_replies + group->destroy_saved_replies
}

// Achievement resource
definition achievement {
  relation namespace: group
  relation user: user
  
  permission read_achievement = namespace->read_achievement
  permission admin_achievement = namespace->admin_achievement
  permission award_achievement = namespace->award_achievement
  permission read_user_achievement = user
  permission update_user_achievement = namespace->admin_achievement
  permission update_owned_user_achievement = user
  permission destroy_user_achievement = namespace->admin_achievement
}

// Virtual registry resource
definition virtual_registry {
  relation group: group
  
  permission read_virtual_registry = group->read_virtual_registry
  permission create_virtual_registry = group->create_virtual_registry
  permission update_virtual_registry = group->update_virtual_registry
  permission destroy_virtual_registry = group->destroy_virtual_registry
}

// Workspace resource
definition workspace {
  relation project: project
  relation user: user
  
  permission create_workspace = project->create_workspace
  permission read_workspace = project->read_workspace + user
  permission update_workspace = project->update_workspace + user
  permission read_workspace_variable = project->read_workspace_variable
  permission read_workspaces_agent_config = project->read_workspaces_agent_config
  permission access_workspaces_feature = project->access_workspaces_feature
  permission read_all_workspaces = project->owner
}

// CRM contact resource
definition crm_contact {
  relation group: group
  
  permission read_crm_contact = group->read_crm_contact
  permission admin_crm_contact = group->admin_crm_contact
}

// CRM organization resource
definition crm_organization {
  relation group: group
  
  permission read_crm_organization = group->read_crm_organization
  permission admin_crm_organization = group->admin_crm_organization
}

// Custom field resource
definition custom_field {
  relation project: project
  relation group: group
  
  permission read_custom_field = project->read_custom_field + group->read_custom_field
  permission admin_custom_field = project->admin_custom_field + group->admin_custom_field
}

// Duo workflow resource
definition duo_workflow {
  relation group: group
  relation project: project
  
  permission admin_duo_workflow = group->admin_duo_workflow
  permission read_duo_workflow = group->read_duo_workflow + project->duo_workflow
  permission update_duo_workflow = group->update_duo_workflow
  permission destroy_duo_workflow = group->destroy_duo_workflow
  permission execute_duo_workflow_in_ci = group->execute_duo_workflow_in_ci + project->execute_duo_workflow_in_ci
  permission read_duo_workflow_event = group->read_duo_workflow_event + project->read_duo_workflow_event
}

// Group stage resource
definition group_stage {
  relation group: group
  
  permission create_group_stage = group->create_group_stage
  permission read_group_stage = group->read_group_stage
  permission update_group_stage = group->update_group_stage
  permission delete_group_stage = group->delete_group_stage
}

// Resource access token resource
definition resource_access_token {
  relation project: project
  relation group: group
  
  permission read_resource_access_tokens = project->read_resource_access_tokens + group->read_resource_access_tokens
  permission create_resource_access_tokens = project->create_resource_access_tokens + group->create_resource_access_tokens
  permission destroy_resource_access_tokens = project->destroy_resource_access_tokens + group->destroy_resource_access_tokens
  permission manage_resource_access_tokens = project->manage_resource_access_tokens + group->manage_resource_access_tokens
}

// Cluster resource
definition cluster {
  relation project: project
  relation group: group
  relation instance: organization
  
  permission read_cluster = project->read_cluster + group->read_cluster + instance->read
  permission add_cluster = project->add_cluster + group->add_cluster + instance->admin
  permission create_cluster = project->create_cluster + group->create_cluster + instance->admin
  permission update_cluster = project->update_cluster + group->update_cluster + instance->admin
  permission admin_cluster = project->admin_cluster + group->admin_cluster + instance->admin
  permission read_cluster_environments = project->read_cluster_environments + group->read_cluster_environments + instance->read
  permission use_k = project->use_k + group->use_k + instance->admin
}

// Cluster agent resource
definition cluster_agent {
  relation project: project
  relation group: group
  relation organization: organization
  
  permission read_cluster_agent = project->read_cluster_agent + group->read_cluster_agent + organization->read_organization_cluster_agent_mapping
  permission admin_namespace_cluster_agent_mapping = group->admin_namespace_cluster_agent_mapping
  permission admin_organization_cluster_agent_mapping = organization->admin_organization_cluster_agent_mapping
  permission read_namespace_cluster_agent_mapping = group->read_namespace_cluster_agent_mapping
  permission read_organization_cluster_agent_mapping = organization->read_organization_cluster_agent_mapping
}

// Service account resource
definition service_account {
  relation organization: organization
  relation group: group
  
  permission admin_service_accounts = organization->admin_service_accounts + group->admin_service_accounts
  permission create_service_account = organization->create_service_account + group->create_service_account
  permission delete_service_account = organization->delete_service_account + group->delete_service_account
  permission admin_service_account_member = group->admin_service_account_member
}

// Import source user resource
definition source_user {
  relation namespace: group
  
  permission admin_import_source_user = namespace->owner
}

// Admin role resource
definition admin_role {
  relation organization: organization
  
  permission read_admin_role = organization->admin
  permission create_admin_role = organization->admin
  permission update_admin_role = organization->admin
  permission delete_admin_role = organization->admin
}

// Terms resource
definition term {
  relation user: user
  
  permission accept_terms = user
  permission decline_terms = user
}

// SAML provider resource
definition saml_provider {
  relation group: group
  
  permission sign_in_with_saml_provider = group->guest_access
  permission admin_group_saml = group->admin_group_saml
  permission read_group_saml_identity = group->read_group_saml_identity
  permission admin_saml_group_links = group->admin_saml_group_links
  permission read_saml_user = group->read_saml_user
}

// Thread resource (for conversations)
definition thread {
  relation user: user
  
  permission delete_conversation_thread = user
}

// Global resource for instance-wide permissions
definition global {
  relation admin: user
  relation user: user
  
  permission access_admin_area = admin
  permission access_api = user
  permission access_git = user
  permission access_code_suggestions = user
  permission access_duo_chat = user
  permission access_duo_core_features = user
  permission access_glab_ask_git_command = user
  permission access_workspaces_feature = user
  permission access_x_ray_on_instance = admin
  permission admin_instance_external_audit_events = admin
  permission admin_member_role = admin
  permission admin_service_accounts = admin
  permission admin_web_hook = admin
  permission approve_user = admin
  permission create_admin_role = admin
  permission create_group = user
  permission create_group_via_api = user
  permission create_group_with_default_branch_protection = admin
  permission create_instance_runner = admin
  permission create_organization = admin
  permission create_snippet = user
  permission destroy_licenses = admin
  permission execute_graphql_mutation = user
  permission export_user_permissions = admin
  permission log_in = user
  permission manage_devops_adoption_namespaces = admin
  permission manage_duo_core_settings = admin
  permission manage_ldap_admin_links = admin
  permission manage_self_hosted_models_settings = admin
  permission manage_subscription = admin
  permission read_admin_audit_log = admin
  permission read_admin_background_jobs = admin
  permission read_admin_background_migrations = admin
  permission read_admin_cicd = admin
  permission read_admin_gitaly_servers = admin
  permission read_admin_health_check = admin
  permission read_admin_metrics_dashboard = admin
  permission read_admin_role = admin
  permission read_admin_subscription = admin
  permission read_admin_system_information = admin
  permission read_admin_users = admin
  permission read_all_geo = admin
  permission read_all_workspaces = admin
  permission read_application_statistics = admin
  permission read_billable_member = admin
  permission read_cloud_connector_status = admin
  permission read_custom_attribute = admin
  permission read_instance_metadata = admin
  permission read_jobs_statistics = admin
  permission read_licenses = admin
  permission read_member_role = admin
  permission read_operations_dashboard = admin
  permission read_runner_upgrade_status = admin
  permission read_runner_usage = admin
  permission read_usage_trends_measurement = admin
  permission read_users_list = admin
  permission read_web_hook = admin
  permission receive_notifications = user
  permission reject_user = admin
  permission update_custom_attribute = admin
  permission update_max_pages_size = admin
  permission use_project_statistics_filters = user
  permission use_quick_actions = user
  permission use_slash_commands = user
  permission view_instance_devops_adoption = admin
  permission view_member_roles = user
  permission view_productivity_analytics = user
  permission read_duo_core_settings = admin
  permission read_self_hosted_models_settings = admin
}