Roles and permissions

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

When you add a user to a project or group, you assign them a role. The role determines which actions they can take in GitLab.

If you add a user to both a project’s group and the project itself, the higher role is used.

GitLab administrators have all permissions.

Roles

You can assign users a default role or a custom role.

The available default roles are:

  • Guest (This role applies to private and internal projects only.)
  • Planner
  • Reporter
  • Developer
  • Maintainer
  • Owner
  • Minimal Access (available for the top-level group only)

A user assigned the Guest role has the least permissions, and the Owner has the most.

By default, all users can create top-level groups and change their usernames. A GitLab administrator can change this behavior for the GitLab instance.

Group members permissions

Any user can remove themselves from a group, unless they are the only Owner of the group.

The following table lists group permissions available for each role:

Analytics group permissions

Group permission for analytics features including value streams, product analytics, and insights:

ActionGuestPlannerReporterDeveloperMaintainerOwner
View insights
View insights charts
View issue analytics
View contribution analytics
View value stream analytics
View productivity analytics
View group DevOps adoption
View metrics dashboard annotations
Manage metrics dashboard annotations

Application security group permissions

Group permissions for Application Security features including dependency management, security analyzers, security policies, and vulnerability management.

ActionGuestPlannerReporterDeveloperMaintainerOwner
View dependency list
View vulnerability report
View security dashboard
Create security policy project
Assign security policy project

CI/CD group permissions

Group permissions for CI/CD features including runners, variables, and protected environments:

ActionGuestPlannerReporterDeveloperMaintainerOwner
View instance runner
View group runners
Manage group-level Kubernetes cluster
Manage group runners
Manage group level CI/CD variables
Manage group protected environments

Compliance group permissions

Group permissions for compliance features including compliance center, audit events, compliance frameworks, and licenses.

ActionGuestPlannerReporterDeveloperMaintainerOwner
View audit events 1
View licenses in dependency list
View compliance center
Manage compliance frameworks
Assign compliance frameworks to projects
Manage audit streams

Footnotes

    GitLab Duo group permissions

    Group permissions for GitLab Duo:

    ActionNon-memberGuestPlannerReporterDeveloperMaintainerOwner
    Use GitLab Duo features 1
    Configure GitLab Duo feature availability
    Configure GitLab Duo Self Hosted
    Enable beta and experimental features
    Purchase GitLab Duo seats

    Footnotes

      Groups group permissions

      Group permissions for group features:

      ActionGuestPlannerReporterDeveloperMaintainerOwner
      Browse group
      Search projects in group
      View group audit events 1
      Create project in group 2
      Create subgroup 3
      Change custom settings for project integrations
      Edit epic comments (posted by any user)
      Fork project into a group
      View Billing 4
      View group Usage quotas page 4
      Migrate group
      Archive group
      Delete group
      Manage subscriptions, storage, and compute minutes
      Manage group access tokens
      Change group visibility level
      Edit group settings
      Configure project templates
      Configure SAML SSO 4
      Disable notification emails
      Import project

      Footnotes

        Project planning group permissions

        ActionGuestPlannerReporterDeveloperMaintainerOwner
        View epic
        Search epics 1
        Add issues to an epic 2
        Add child epics 3
        Add internal notes
        Create epics
        Update epic details
        Manage epic boards
        Delete epics

        Footnotes

          Group permissions for wikis:

          ActionGuestPlannerReporterDeveloperMaintainerOwner
          View group wiki 1
          Search group wikis 2
          Create group wiki pages
          Edit group wiki pages
          Delete group wiki pages

          Footnotes

            Packages and registries group permissions

            Group permissions for container registry:

            ActionGuestPlannerReporterDeveloperMaintainerOwner
            Pull container registry images 1
            Pull container images with the dependency proxy
            Delete container registry images

            Footnotes

              Group permissions for package registry:

              ActionGuestPlannerReporterDeveloperMaintainerOwner
              Pull packages
              Publish packages
              Delete packages
              Manage package settings
              Manage dependency proxy cleanup policies
              Enable dependency proxy
              Disable dependency proxy
              Purge the group dependency proxy
              Enable package request forwarding
              Disable package request forwarding

              Repository group permissions

              Group permissions for repository features including merge requests, push rules, and deploy tokens.

              ActionGuestPlannerReporterDeveloperMaintainerOwner
              Manage deploy tokens
              Manage merge request settings
              Manage push rules

              User management group permissions

              Group permissions for user management:

              ActionGuestPlannerReporterDeveloperMaintainerOwner
              View 2FA status of members
              Filter members by 2FA status
              Manage group members
              Manage group-level custom roles
              Share (invite) groups to groups

              Workspace group permissions

              Groups permissions for workspaces:

              ActionGuestPlannerReporterDeveloperMaintainerOwner
              View workspace cluster agents mapped to a group
              Map or unmap workspace cluster agents to and from a group

              Project members permissions

              A user’s role determines what permissions they have on a project. The Owner role provides all permissions but is available only:

              • For group and project Owners.
              • For Administrators.

              Personal namespace owners:

              • Are displayed as having the Maintainer role on projects in the namespace, but have the same permissions as a user with the Owner role.
              • For new projects in the namespace, are displayed as having the Owner role.

              For more information about how to manage project members, see members of a project.

              The following tables list the project permissions available for each role.

              Analytics

              Project permissions for analytics features including value streams, usage trends, product analytics, and insights.

              ActionGuestPlannerReporterDeveloperMaintainerOwner
              View issue analytics
              View value stream analytics
              View CI/CD analytics
              View code review analytics
              View DORA metrics
              View merge request analytics
              View repository analytics
              View Value Streams Dashboard
              View GitLab Duo and SDLC trends

              Application security

              Project permissions for application security features including dependency management, security analyzers, security policies, and vulnerability management.

              ActionGuestPlannerReporterDeveloperMaintainerOwner
              View dependency list
              View licenses in dependency list
              View security dashboard
              View vulnerability report
              Create vulnerability manually
              Create issue from vulnerability finding
              Create on-demand DAST scans
              Run on-demand DAST scans
              Create individual security policies
              Change individual security policies
              Delete individual security policies
              Create CVE ID request
              Change vulnerability status 1
              Create security policy project
              Assign security policy project
              Manage security configurations

              Footnotes

                CI/CD

                GitLab CI/CD permissions for some roles can be modified by these settings:

                Project Owners can perform any listed action, and can delete pipelines:

                ActionNon-memberGuestPlannerReporterDeveloperMaintainer
                View instance runner
                View existing artifacts 1
                View list of jobs 2
                View artifacts 3
                Download artifacts 3
                View environments 1
                View job logs and job details page 2
                View pipelines and pipeline details pages 2
                View pipelines tab in MR 1
                View vulnerabilities in a pipeline 4
                Run deployment job for a protected environment 5
                View agents for Kubernetes
                View project Secure Files
                Download project Secure Files
                View a job with debug logging
                Create environments
                Delete environments
                Stop environments
                Run, rerun, or retry CI/CD pipeline or job
                Run, rerun, or retry CI/CD pipeline or job for a protected branch 6
                Delete job logs or job artifacts 7
                Enable review apps
                Cancel jobs 8
                Read Terraform state
                Run interactive web terminals
                Use pipeline editor
                View project runners 9
                Manage project runners 9
                Delete project runners 10
                Manage agents for Kubernetes
                Manage CI/CD settings
                Manage job triggers
                Manage project CI/CD variables
                Manage project protected environments
                Manage project Secure Files
                Manage Terraform state
                Add project runners to project 11
                Clear runner caches manually
                Enable instance runners in project

                Footnotes

                  This table shows granted privileges for jobs triggered by specific roles.

                  Project Owners can do any listed action, but no users can push source and LFS together. Guest users and members with the Reporter role cannot do any of these actions.

                  ActionDeveloperMaintainer
                  Clone source and LFS from current project
                  Clone source and LFS from public projects
                  Clone source and LFS from internal projects 1
                  Clone source and LFS from private projects 2
                  Pull container images from current project
                  Pull container images from public projects
                  Pull container images from internal projects 1
                  Pull container images from private projects 2
                  Push container images to current project 3

                  Footnotes

                    Compliance

                    Project permissions for compliance features including compliance center, audit events, compliance frameworks, and licenses.

                    ActionGuestPlannerReporterDeveloperMaintainerOwner
                    View allowed and denied licenses in MR 1
                    View audit events 2
                    View licenses in dependency list
                    Manage audit streams

                    Footnotes

                      GitLab Duo

                      Project permissions for GitLab Duo:

                      ActionNon-memberGuestPlannerReporterDeveloperMaintainerOwner
                      Use GitLab Duo features 1
                      Configure GitLab Duo feature availability

                      Footnotes

                        Machine learning model registry and experiment

                        Project permissions for model registry and model experiments.

                        ActionGuestPlannerReporterDeveloperMaintainerOwner
                        View models and versions 1
                        View model experiments 2
                        Create models, versions, and artifacts 3
                        Edit models, versions, and artifacts
                        Delete models, versions, and artifacts
                        Create experiments and candidates
                        Edit experiments and candidates
                        Delete experiments and candidates

                        Footnotes

                          Monitoring

                          Project permissions for monitoring including error tracking and incident management:

                          ActionGuestPlannerReporterDeveloperMaintainerOwner
                          View an incident
                          Assign an incident management alert
                          Participate in on-call rotation for Incident Management
                          View alerts
                          View error tracking list
                          View escalation policies
                          View on-call schedules
                          Create incident
                          Change alert status
                          Change incident severity
                          Change incident escalation status
                          Change incident escalation policy
                          Manage error tracking
                          Manage escalation policies
                          Manage on-call schedules

                          Project planning

                          Project permissions for issues:

                          ActionGuestPlannerReporterDeveloperMaintainerOwner
                          View issues
                          Search issues and comments
                          Create issues
                          View confidential issues
                          Search confidential issues and comments
                          Edit issues, including metadata, item locking, and resolving threads 1
                          Add internal notes
                          Close and reopen issues 2
                          Manage design management files
                          Manage issue boards
                          Manage milestones
                          Search milestones
                          Archive or reopen requirements 3
                          Create or edit requirements 4
                          Import or export requirements
                          Archive test cases
                          Create test cases
                          Move test cases
                          Reopen test cases
                          Import issues from a CSV file
                          Export issues to a CSV file
                          Delete issues
                          Manage Feature flags

                          Footnotes

                            Project permissions for tasks:

                            ActionGuestPlannerReporterDeveloperMaintainerOwner
                            View tasks
                            Search tasks
                            Create tasks
                            Edit tasks, including metadata, item locking, and resolving threads 1
                            Add a linked item
                            Convert to another item type
                            Remove from issue
                            Add internal note
                            Delete tasks 2

                            Footnotes

                              Project permissions for OKRs:

                              ActionGuestPlannerReporterDeveloperMaintainerOwner
                              View OKRs
                              Search OKRs
                              Create OKRs
                              Edit OKRs, including metadata, item locking, and resolving threads
                              Add a child OKR
                              Add a linked item
                              Convert to another item type
                              Edit OKRs
                              Change confidentiality in OKR
                              Add internal note

                              Project permissions for wikis:

                              ActionGuestPlannerReporterDeveloperMaintainerOwner
                              View wiki
                              Search wikis
                              Create wiki pages
                              Edit wiki pages
                              Delete wiki pages

                              Packages and registry

                              Project permissions for container registry:

                              ActionGuestPlannerReporterDeveloperMaintainerOwner
                              Pull container registry images 1
                              Push container registry images
                              Delete container registry images
                              Manage cleanup policies
                              Create tag protection rules
                              Create immutable tag protection rules

                              Footnotes

                                Project permissions for package registry:

                                ActionGuestPlannerReporterDeveloperMaintainerOwner
                                Pull packages 1
                                Publish packages
                                Delete packages
                                Delete files associated with a package

                                Footnotes

                                  Projects

                                  Project permissions for project features:

                                  ActionGuestPlannerReporterDeveloperMaintainerOwner
                                  Download project 1
                                  Leave comments
                                  Reposition comments on images (posted by any user) 2
                                  View insights
                                  View requirements
                                  View time tracking reports 1
                                  View snippets
                                  Search snippets and comments
                                  View project traffic statistics
                                  Create snippets
                                  View releases 3
                                  Manage releases 4
                                  Configure webhooks
                                  Manage project access tokens 5
                                  Export project
                                  Rename project
                                  Edit project badges
                                  Edit project settings
                                  Change project features visibility level 6
                                  Change custom settings for project integrations
                                  Edit comments posted by other users
                                  Add deploy keys
                                  Manage project operations
                                  View Usage quotas page
                                  Globally delete snippets
                                  Globally edit snippets
                                  Archive project
                                  Change project visibility level
                                  Delete project
                                  Disable notification emails
                                  Transfer project

                                  Footnotes

                                    Project permissions for GitLab Pages:

                                    ActionGuestPlannerReporterDeveloperMaintainerOwner
                                    View GitLab Pages protected by access control
                                    Manage GitLab Pages
                                    Manage GitLab Pages domain and certificates
                                    Remove GitLab Pages

                                    Repository

                                    Project permissions for repository features including source code, branches, push rules, and more:

                                    ActionGuestPlannerReporterDeveloperMaintainerOwner
                                    View project code 1
                                    Search project code 2
                                    Search commits and comments 3
                                    Pull project code 4
                                    View commit status
                                    Create commit status 1
                                    Update commit status 1
                                    Create Git tags
                                    Delete Git tags
                                    Create new branches
                                    Push to non-protected branches
                                    Force push to non-protected branches
                                    Delete non-protected branches
                                    Manage protected branches
                                    Push to protected branches 1
                                    Delete protected branches
                                    Manage protected tags
                                    Manage push rules
                                    Remove fork relationship
                                    Force push to protected branches 5

                                    Footnotes

                                      Merge requests

                                      Project permissions for merge requests:

                                      ActionGuestPlannerReporterDeveloperMaintainerOwner
                                      View a merge request 1
                                      Search merge requests and comments 1
                                      Add internal note
                                      Comment and add suggestions
                                      Create snippets
                                      Create merge request 2
                                      Update merge request details 3
                                      Manage merge request settings
                                      Manage merge request approval rules
                                      Delete merge request

                                      Footnotes

                                        User management

                                        Project permissions for user management.

                                        ActionGuestPlannerReporterDeveloperMaintainerOwner
                                        View 2FA status of members
                                        Manage project members 1
                                        Share (invite) projects with groups 2

                                        Footnotes

                                          Subgroup permissions

                                          When you add a member to a subgroup, they inherit the membership and permission level from the parent groups. This model allows access to nested groups if you have membership in one of its parents.

                                          For more information, see subgroup memberships.

                                          Users with Minimal Access

                                          • Tier: Premium, Ultimate
                                          • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

                                          Users with the Minimal Access role do not:

                                          • Automatically have access to projects and subgroups in that top-level group.
                                          • Count as licensed seats on GitLab Self-Managed Ultimate subscriptions or any GitLab.com subscriptions, provided the user has no other role anywhere in the instance or in the GitLab.com namespace.

                                          Owners must explicitly add these users to the specific subgroups and projects.

                                          You can use the Minimal Access role with SAML SSO for GitLab.com groups to control access to groups and projects in the group hierarchy. You can set the default role to Minimal Access for members automatically added to the top-level group through SSO.

                                          1. On the left sidebar, select Search or go to and find your group.
                                          2. Select Settings > SAML SSO.
                                          3. From the Default membership role dropdown list, select Minimal Access.
                                          4. Select Save changes.

                                          Minimal access users receive 404 errors

                                          Because of an outstanding issue, when a user with the Minimal Access role:

                                          • Signs in with standard web authentication, they receive a 404 error when accessing the parent group.
                                          • Signs in with Group SSO, they receive a 404 error immediately because they are redirected to the parent group page.

                                          To work around the issue, give these users the Guest role or higher to any project or subgroup in the parent group. Guest users consume a license seat in the Premium tier but do not in the Ultimate tier.