Customer Feedback - Granular Permissions
This issue is to summarize requests from customers that occurred via issue discussion and interviews in order to prioritize which aspects of customizable roles to make progress on next.
Instructions
- Scan the list to see if your request is represented. If so, increment the count
- If it's not represented, add it
- If an issue already exists to capture the ask, link it to this issue and tag it with this epic: Customizable roles - New Specific Permission Re... (&9973)
Current Status
Product Manager @hsutor tracks current progress on customizable roles here.
Known Limitations
All suggested permissions provided in the table below are additive on top of a base role included as part of GitLab's default permissions and roles.
In the case of a customer wanting everything except a single permission in a default role, given the nature of this effort, all granular permissions missing in the diff between the two roles will need to be added for their use-case to be supported. Ex: Developer Role except Read Terraform State
| Feedback | Count |
|---|---|
| General Security / Separation of Duties | 25 |
| Should be in Premium | 7 |
| Reporter - Remove access to view source code | 4 |
|
|
5 |
| Developer - Remove "Download Code" | 2 |
| Reporter - Run pipeline but not merge | 4 |
| Reporter - Give access to download container registry images | 2 |
| Reporter - Add "resolve threads" | 6 |
| Developer - Don't access feature flags | 1 |
| Developer - Add Edit CI/CD settings | 1 |
| Auditor view more things (SAML identities) | 2 |
| Maintainer - Add ability to manage group level variables | 5 |
| Developer - remove ability to view confidential issue | 1 |
| Developer - write terraform state | 15 - includes issue upvote |
| Developer - Read-Only Terraform state | 12 - includes issue upvote |
| Developer - remove ability to edit releases | 1 |
| Developer - give developer ability to manage variables | 4 |
| Developer - should not be able to delete container registry | 3 |
| Developer - remove ability to trigger job | 1 |
| Admin too permissive | 5 |
| Owner too permissive | 2 |
| Maintainer too permissive | 6 |
| Maintainer should not be able to edit a project's CI/CD settings | 4 |
| Maintainer should not be able to edit a project's security policy | 2 |
| Maintainers shouldn't be allowed to become a group owner | 4 |
| Maintainer should not be able to delete a package | 1 |
| Maintainer should be able to delete a project | 1 |
| Maintainers can only give group access to minimal access user | 1 |
| Remove Maintainer all together | 1 |
| Prevent deletion of merge request, issue, test result, artifact by developer | 2 |
| Maintainer - remove ability to disable approval rules on their MRs | 2 |
| Maintainer - remove ability to change protected env | 2 |
| Maintainer - Push to protected branches | 1 |
| Reporter should not be able to modify the issue board | 1 |
| Developer - Remove ability to view code | |
| Developer - remove access to deploy token | |
| Want different roles for different groups/projects | 1 |
| Developer and Maintainer - remove permission to delete images from container registry | 2 |
| Developer - create repo, but not push | 15 - issue |
| Reporter - Add "view security dashboard" | 2 |