Available custom permissions

The following permissions are available. You can add these permissions in any combination to a base role to create a custom role.

Some permissions require having other permissions enabled first. For example, administration of vulnerabilities (admin_vulnerability) can only be enabled if reading vulnerabilities (read_vulnerability) is also enabled.

These requirements are documented in the Required permission column in the following table.

Code review workflow

Name	Required permission	Description	Introduced in	Feature flag	Enabled in
admin_merge_request		Allows approval of merge requests.	GitLab 16.4
read_code		Allows read-only access to the source code.	GitLab 15.7	customizable_roles	GitLab 15.9

Group and projects

Name	Required permission	Description	Introduced in	Feature flag	Enabled in
admin_group_member		Allows admin of group members.	GitLab 16.5	admin_group_member	GitLab 16.6

Groups and projects

Name	Required permission	Description	Introduced in	Feature flag	Enabled in
archive_project		Allows archiving of projects.	GitLab 16.6	archive_project	GitLab 16.7
remove_project		Allows deletion of projects.	GitLab 16.8

Infrastructure as code

Name	Required permission	Description	Introduced in	Feature flag	Enabled in
admin_terraform_state		Allows to admin terraform state	GitLab 16.8

System access

Name	Required permission	Description	Introduced in	Feature flag	Enabled in
manage_group_access_tokens		Allows manage access to the group access tokens.	GitLab 16.8
manage_project_access_tokens		Allows manage access to the project access tokens.	GitLab 16.5	manage_project_access_tokens	GitLab 16.8

Vulnerability management

Name	Required permission	Description	Introduced in	Feature flag	Enabled in
admin_vulnerability		Allows admin access to the vulnerability reports.	GitLab 16.1
read_dependency		Allows read-only access to the dependencies.	GitLab 16.3
read_vulnerability		Allows read-only access to the vulnerability reports.	GitLab 16.1