Custom permissions
You can create a custom role by adding one or more custom permissions to a base role.
Some permissions depend on other permissions.
For example, the admin_vulnerability permission requires you to also include the read_vulnerability permission.
Any dependencies are noted in the Description column for each permission.
Code review workflow
| Permission | Description | API Attribute | Scope | Introduced |
|---|---|---|---|---|
| Manage merge request approvals and settings | Configure merge request settings at the group or project level. Group actions include managing merge checks and approval settings. Project actions include managing MR configurations, approval rules and settings, and branch targets. In order to enable Suggested reviewers, the “Manage project access tokens” custom permission needs to be enabled. | manage_merge_request_settings | Group, Project | GitLab 17.0 |
Compliance management
| Permission | Description | API Attribute | Scope | Introduced |
|---|---|---|---|---|
| Manage and assign compliance frameworks | Create, read, update, and delete compliance frameworks. Users with this permission can also assign a compliance framework label to a project, and set the default framework of a group. | admin_compliance_framework | Group, Project | GitLab 17.0 |
| Read compliance dashboard | Read compliance capabilities including adherence, violations, and frameworks for groups and projects. | read_compliance_dashboard | Group, Project | GitLab 17.7 |
Continuous delivery
| Permission | Description | API Attribute | Scope | Introduced |
|---|---|---|---|---|
| Manage deploy tokens | Manage deploy tokens at the group or project level. | manage_deploy_tokens | Group, Project | GitLab 17.0 |
Groups and projects
| Permission | Description | API Attribute | Scope | Introduced |
|---|---|---|---|---|
| Archive project | Allows archiving of projects. | archive_project | Project | GitLab 16.6 |
| Delete group | Ability to delete or restore a group. This ability does not allow deleting top-level groups. Review the Retention period settings to prevent accidental deletion. | remove_group | Group | GitLab 16.10 |
| Delete project | Allows deletion of projects. | remove_project | Project | GitLab 16.8 |
| Manage group members | Add or remove users in a group, and assign roles to users. When assigning a role, users with this custom permission must select a role that has the same or fewer permissions as the default role used as the base for their custom role. | admin_group_member | Group | GitLab 16.5 |
Infrastructure as code
| Permission | Description | API Attribute | Scope | Introduced |
|---|---|---|---|---|
| Manage Terraform state | Execute terraform commands, lock/unlock terraform state files, and remove file versions. | admin_terraform_state | Project | GitLab 16.8 |
Integrations
| Permission | Description | API Attribute | Scope | Introduced |
|---|---|---|---|---|
| Manage integrations | Create, read, update, and delete integrations with external applications. | admin_integrations | Group, Project | GitLab 17.1 |
Runner
| Permission | Description | API Attribute | Scope | Introduced |
|---|---|---|---|---|
| Manage runners | Create, view, edit, and delete group or project Runners. Includes configuring Runner settings. | admin_runners | Group, Project | GitLab 17.1 |
| View runners | Allows read-only access to group or project runners, including the runner fleet dashboard. | read_runners | Group, Project | GitLab 17.2 |
Secrets management
| Permission | Description | API Attribute | Scope | Introduced |
|---|---|---|---|---|
| Manage CI/CD variables | Create, read, update, and delete CI/CD variables. | admin_cicd_variables | Group, Project | GitLab 16.10 |
Security policy management
| Permission | Description | API Attribute | Scope | Introduced |
|---|---|---|---|---|
| Link to a security policy project | Allows linking security policy projects. | manage_security_policy_link | Group, Project | GitLab 16.11 |
Source code management
| Permission | Description | API Attribute | Scope | Introduced |
|---|---|---|---|---|
| Approve merge request | Allows approval of merge requests. | admin_merge_request | Project | GitLab 16.4 |
| Manage Protected Branches | Create, read, update, and delete protected branches for a project. | admin_protected_branch | Project | GitLab 17.4 |
| Manage push rules | Configure push rules for repositories at the group or project level. | admin_push_rules | Group, Project | GitLab 16.11 |
| View repository code | Allows read-only access to the source code in the user interface. Does not allow users to edit or download repository archives, clone or pull repositories, view source code in an IDE, or view merge requests for private projects. You can download individual files because read-only access inherently grants the ability to make a local copy of the file. | read_code | Group, Project | GitLab 15.7 |
System access
| Permission | Description | API Attribute | Scope | Introduced |
|---|---|---|---|---|
| Manage group access tokens | Create, read, update, and delete group access tokens. When creating a token, users with this custom permission must select a role for that token that has the same or fewer permissions as the default role used as the base for the custom role. | manage_group_access_tokens | Group | GitLab 16.8 |
| Manage project access tokens | Create, read, update, and delete project access tokens. When creating a token, users with this custom permission must select a role for that token that has the same or fewer permissions as the default role used as the base for the custom role. | manage_project_access_tokens | Project | GitLab 16.5 |
Team planning
| Permission | Description | API Attribute | Scope | Introduced |
|---|---|---|---|---|
| View CRM contact | Read CRM contact. | read_crm_contact | Group | GitLab 17.1 |
Vulnerability management
| Permission | Description | API Attribute | Scope | Introduced |
|---|---|---|---|---|
| Manage vulnerabilities | Edit the vulnerability object, including the status and linking an issue. Includes the read_vulnerability permission actions. | admin_vulnerability | Group, Project | GitLab 16.1 |
| View dependency list | Allows read-only access to the dependencies and licenses. | read_dependency | Group, Project | GitLab 16.3 |
| View vulnerability reports and dashboards | Read vulnerability reports and security dashboards. | read_vulnerability | Group, Project | GitLab 16.1 |
Webhooks
| Permission | Description | API Attribute | Scope | Introduced |
|---|---|---|---|---|
| Manage web hooks | Manage webhooks | admin_web_hook | Group, Project | GitLab 17.0 |
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support