Available custom permissions
The following permissions are available. You can add these permissions in any combination
to a base role to create a custom role.
Some permissions require having other permissions enabled first. For example, administration of vulnerabilities (admin_vulnerability) can only be enabled if reading vulnerabilities (read_vulnerability) is also enabled.
These requirements are documented in the Required permission column in the following table.
Code review workflow
| Name
| Required permission
| Description
| Introduced in
| Feature flag
| Enabled in
|
admin_merge_request
|
| Allows approval of merge requests.
| GitLab 16.4
|
|
|
read_code
|
| Allows read-only access to the source code.
| GitLab 15.7
| customizable_roles
| GitLab 15.9
|
Group and projects
| Name
| Required permission
| Description
| Introduced in
| Feature flag
| Enabled in
|
admin_group_member
|
| Add or remove users in a group, and assign roles to users. When assigning a role, users with this custom permission must select a role that has the same or fewer permissions as the default role used as the base for their custom role.
| GitLab 16.5
| admin_group_member
| GitLab 16.6
|
Groups and projects
| Name
| Required permission
| Description
| Introduced in
| Feature flag
| Enabled in
|
archive_project
|
| Allows archiving of projects.
| GitLab 16.6
| archive_project
| GitLab 16.7
|
remove_group
|
| Ability to delete or restore a group. This ability does not allow deleting top level groups. Review the Retention period settings to prevent accidental deletion.
| GitLab 16.10
|
|
|
remove_project
|
| Allows deletion of projects.
| GitLab 16.8
|
|
|
Infrastructure as code
| Name
| Required permission
| Description
| Introduced in
| Feature flag
| Enabled in
|
admin_terraform_state
|
| Execute terraform commands, lock/unlock terraform state files, and remove file versions.
| GitLab 16.8
|
|
|
Secrets management
| Name
| Required permission
| Description
| Introduced in
| Feature flag
| Enabled in
|
admin_cicd_variables
|
| Create, read, update, and delete CI/CD variables.
| GitLab 16.10
|
|
|
Security policy management
Source code management
| Name
| Required permission
| Description
| Introduced in
| Feature flag
| Enabled in
|
admin_push_rules
|
| Configure push rules for repositories at the group or project level.
| GitLab 16.11
| custom_ability_admin_push_rules
|
|
System access
| Name
| Required permission
| Description
| Introduced in
| Feature flag
| Enabled in
|
manage_group_access_tokens
|
| Create, read, update, and delete group access tokens. When creating a token, users with this custom permission must select a role for that token that has the same or fewer permissions as the default role used as the base for the custom role.
| GitLab 16.8
|
|
|
manage_project_access_tokens
|
| Create, read, update, and delete project access tokens. When creating a token, users with this custom permission must select a role for that token that has the same or fewer permissions as the default role used as the base for the custom role.
| GitLab 16.5
| manage_project_access_tokens
| GitLab 16.8
|
Vulnerability management
| Name
| Required permission
| Description
| Introduced in
| Feature flag
| Enabled in
|
admin_vulnerability
|
| Edit the vulnerability object, including the status and linking an issue. Includes the read_vulnerability permission actions.
| GitLab 16.1
|
|
|
read_dependency
|
| Allows read-only access to the dependencies and licenses.
| GitLab 16.3
|
|
|
read_vulnerability
|
| Read vulnerability reports and security dashboards.
| GitLab 16.1
|
|
|