Permission development guidelines

There are multiple types of permissions across GitLab, and when implementing anything that deals with permissions, all of them should be considered.

As a pre-requisite, familiarize yourself with our glossary first.

For more information, see:

• Predefined roles system: a general overview about predefined roles, user types, feature specific permissions, and permissions dependencies.
• DeclarativePolicy framework: introduction into DeclarativePolicy framework we use for authorization.
• Naming and conventions: guidance on how to name new permissions and what should be included in policy classes.
• Authorizations: guidance on where to check permissions.
• Custom roles: guidance on how to work on custom role, how to introduce a new ability for custom roles, how to refactor permissions.
• Job token guidelines: Guidance on requirements and contribution guidelines for new job token permissions.
• Granular Personal Access Tokens: Guidance on enabling granular PAT permissions for API endpoints, including requirements and contribution guidelines.
• GraphQL API protection against granular PATs: Guidance on how to protect graphQL calls made with granular PATs.