Add deny logic to permissions in custom roles

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Problem to solve

When a customer creates a custom role, they often only want to remove 1 or 2 permissions from the base of a custom role. In today's workflow, the user has to create a lower base then add 5-10 permissions to achieve the permission of only removing 1 permission if deny was supported.

Also, additive logic between reporter<>developer is not realistic and typical cases require only ability to deny 1 or 2 permissions.

Proposal

Support deny permissions from the base role to improve custom role user experience. This reduces the cognitive load during the role creation process.

Related discussion

#352891 (comment 1059561579)

Evidence

https://gitlab.com/gitlab-org/gitlab/-/issues/505863+
&4035 (comment 2158168952)
&4035 (comment 2171975991)

Edited Aug 18, 2025 by 🤖 GitLab Bot 🤖