Assign custom role and fine-grained permissions to tokens
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve:
Group and project tokens have the ability to define a default role which would scope the access of the api . This API scope can come inherently overprivileged if setting the role to developer, maintainer, or owner.
Proposal
Allow custom roles to be applied to group or project tokens. api will be based on the permissions defined for the custom role and what the token has access to.
Open Questions
- How to handle other scopes of the token that conflict with the permissions on the custom role? Is there an order in which permissions are evaluated?
Other token candidates
- id_tokens
- PAT
- GrPAT
- PrPAT
- CI_JOB_TOKEN
Edited by 🤖 GitLab Bot 🤖