Available custom permissions
The following permissions are available. You can add these permissions in any combination to a base role to create a custom role.
Some permissions require having other permissions enabled first. For example, administration of vulnerabilities (admin_vulnerability) can only be enabled if reading vulnerabilities (read_vulnerability) is also enabled.
These requirements are documented in the Required permission column in the following table.
Code review workflow
| Name | Required permission | Description | Introduced in | Feature flag | Enabled in |
|---|---|---|---|---|---|
admin_merge_request |
Allows approval of merge requests. | GitLab 16.4 | |||
read_code |
Allows read-only access to the source code. | GitLab 15.7 | customizable_roles |
GitLab 15.9 |
Group and projects
| Name | Required permission | Description | Introduced in | Feature flag | Enabled in |
|---|---|---|---|---|---|
admin_group_member |
Add or remove users in a group, and assign roles to users. When assigning a role, users with this custom permission must select a role that has the same or fewer permissions as the default role used as the base for their custom role. | GitLab 16.5 | admin_group_member |
GitLab 16.6 |
Groups and projects
| Name | Required permission | Description | Introduced in | Feature flag | Enabled in |
|---|---|---|---|---|---|
archive_project |
Allows archiving of projects. | GitLab 16.6 | archive_project |
GitLab 16.7 | |
remove_group |
Ability to delete or restore a group. This ability does not allow deleting top level groups. Review the Retention period settings to prevent accidental deletion. | GitLab 16.10 | |||
remove_project |
Allows deletion of projects. | GitLab 16.8 |
Infrastructure as code
| Name | Required permission | Description | Introduced in | Feature flag | Enabled in |
|---|---|---|---|---|---|
admin_terraform_state |
Execute terraform commands, lock/unlock terraform state files, and remove file versions. | GitLab 16.8 |
Secrets management
| Name | Required permission | Description | Introduced in | Feature flag | Enabled in |
|---|---|---|---|---|---|
admin_cicd_variables |
Create, read, update, and delete CI/CD variables. | GitLab 16.10 |
Security policy management
| Name | Required permission | Description | Introduced in | Feature flag | Enabled in |
|---|---|---|---|---|---|
manage_security_policy_link |
Allows assigning security policy projects. | GitLab 16.11 |
Source code management
| Name | Required permission | Description | Introduced in | Feature flag | Enabled in |
|---|---|---|---|---|---|
admin_push_rules |
Configure push rules for repositories at the group or project level. | GitLab 16.11 | custom_ability_admin_push_rules |
System access
| Name | Required permission | Description | Introduced in | Feature flag | Enabled in |
|---|---|---|---|---|---|
manage_group_access_tokens |
Create, read, update, and delete group access tokens. When creating a token, users with this custom permission must select a role for that token that has the same or fewer permissions as the default role used as the base for the custom role. | GitLab 16.8 | |||
manage_project_access_tokens |
Create, read, update, and delete project access tokens. When creating a token, users with this custom permission must select a role for that token that has the same or fewer permissions as the default role used as the base for the custom role. | GitLab 16.5 | manage_project_access_tokens |
GitLab 16.8 |
Vulnerability management
| Name | Required permission | Description | Introduced in | Feature flag | Enabled in |
|---|---|---|---|---|---|
admin_vulnerability |
Edit the vulnerability object, including the status and linking an issue. Includes the read_vulnerability permission actions. |
GitLab 16.1 | |||
read_dependency |
Allows read-only access to the dependencies and licenses. | GitLab 16.3 | |||
read_vulnerability |
Read vulnerability reports and security dashboards. | GitLab 16.1 |