Fine-grained PATs - Permission Wave Rollout by Team & Priority

Background

The authorization team is building out fine-grained permissions for Personal Access Tokens. There are over 300+ resources/policies in GitLab today. The rollout will be in 4 waves. Each wave will target resources/policies owned by teams based on usage or risk mitigation. To simplify the coordination and the review process, implementation or merges will cover all resources owned by that team.

Wave 1-3 will be in beta (by 18.9) while Wave 4 will be in GA (by 18.11)

We will first start with REST, as support for granular tokens for GraphQL is still in development. Then, after address GraphQL with reviews to the same set of product teams.

PAT Permission Workbook SSOT

(BETA) Wave 1 - Target Completion by %18.6 / 10%
Resources Team REST Milestone Complete GraphQL Milestone Complete Notes
Resources

Admin Member Roles
Member Roles

groupauthorization

Resources

Group Wikis
Wiki*
Wikis

groupknowledge

 Duplicates / Team Review

Resources

Badges
Group Avatar
Group Badges
Group Projects
Groups
Manage Groups*
Members
Namespaces
Organizations
Project*
Project Aliases
Project Avatar
Project Export
Project Templates
Projects
Subgroups
Topics
User Groups*
User Organizations*

grouporganizations

 Duplicates / Team Review

Resources

CI Runners*
Runners
User Runners

groupRunners Platform

 Duplicates / Team Review

Resources

CI Jobs*
CI Lint
CI Pipelines
Job Artifacts
Jobs/Builds
Merge Trains
Pipeline Schedules
Pipeline Triggers
Pipelines
Validate CI/CD

grouppipeline execution

 Duplicates / Team Review

(BETA) Wave 2 - Target Completion by %18.7 / 40%
Resources Team REST Milestone Complete GraphQL Milestone Complete Notes

Resources

Merge Request Dependencies
Merge Request Diffs
Merge Requests
Saved Replies

groupcode review

Resources

Branches
Code/Repository
Commit Statuses
Commits
Discussions
Dockerfile Templates
Git
Gitignore Templates
Group Approval Rules
Group Protected Branches
Group Push Rules
Group Releases
Group Repository Storage Moves
Group SSH Certificates
Keys
Merge Request Approval Rules
Merge Request Approval Settings
Merge Request Approvals
Project Approval Rules
Project Approval Settings
Project Approvals*
Project Mirror
Project Push Rules
Project Repository Storage Moves*
Project Snippets
Project Statistics
Protected Branches
Protected Tags
Remote Mirrors
Repositories
Repository Branches
Repository Commits
Repository Files
Repository Submodules
Repository Tags
Snippet Repository Storage Moves*
Snippets
Tags
Web Commits

groupsource code

 Review

Resources

Audit Events
Compliance External Controls
Compliance Policy Settings
External Status Checks
Resource Label Events
Status Checks*

groupcompliance

 Duplicates / Review

Resources

Dependencies
Dependency List Exports*
License Templates

groupcomposition analysis

Resources

Group Security Settings
Project Security Settings

groupsecurity platform management

Resources

SBOM Occurrences
Security Scans*
Security/Vulnerabilities
Vulnerabilities
Vulnerability Archive Exports*
Vulnerability Exports
Vulnerability Findings
Vulnerability Issue Links*

groupsecurity insights

 Duplicates / Review

Resources

CI Catalog
CI Variables
CI/CD Variables*
GitLab CI/CD Templates
Group Variables
Instance CI Variables

grouppipeline authoring

 Duplicates / Review

Resources

 Secure Files

grouppipeline security

Resources

Container Images
Container Registry Events*
Container Registry Protection
Container Repositories*
Dependency Proxy
Group Container Repositories
Project Container Registry Protection Rules
Project Container Repositories

groupcontainer registry

 Duplicates / Review

Resources

Award Emoji
Custom Attributes
Draft Notes
Epic Boards
Epic Issues*
Epic Links
Epics
Group Issue Boards
Group Iterations
Group Labels
Group Milestones
Issue Boards
Issue Links*
Issue Metadata
Issues
Iterations
Labels
Linked Epics*
Markdown Uploads
Milestones
Notes
Notes/Comments
Project Milestones
Related Epic Links*
Resource Iteration Events*
Resource Milestone Events*
Resource State Events*
Resource Weight Events*
Time Tracking

groupproject management

 Duplicates / Review

(BETA) Wave 3 - Target Completion by %18.8 / 75%
Resources Team REST Milestone Complete GraphQL Milestone Complete Notes

Resources

AI Duo Workflows
AI LLM Git Command
Chat*
Code Suggestions
GitLab Chat
Suggestions

groupduo chat

groupcode creation

 Duplicates / Review

Resources

Access Requests
Access Tokens
Appearance
Applications
Avatar
Deploy Tokens
Group Enterprise Users
Group Members
Group SCIM
Group Service Accounts
Instance SCIM
Invitations
Job Token Scopes*
Job Tokens
LDAP
LDAP Group Links
OAuth Applications
Personal Access Token Self Information
Personal Access Token Self Rotation
Personal Access Tokens
Plan Limits
Project Job Token Scope*
Provider Identity
Resource Access Token Self Rotation*
Resource Access Tokens
SAML Group Links
Service Accounts
SSH Keys
Statistics
Token Management
User Email
User Tokens
Users

groupauthentication

 Duplicates / Review

Resources

CI Resource Groups
Cluster Agent Tokens
Cluster Agent URL Configurations
Cluster Agents
Clusters
Deploy Keys
Deployments
Environments
Feature Flag User Lists
Feature Flags
Freeze Periods
Instance Metadata
Kubernetes
Metadata
Project Deployment Frequency*
Protected Environments
Release Links
Releases
Terraform Modules
Terraform State
Terraform State Version
Unleash
Version

groupenvironments

Resources

Bitbucket Import*
Bitbucket Server Import*
Bulk Imports
Group Export
Group Hooks
Group Import
Group Placeholder Reassignments
Import from Bitbucket
Import from GitHub
Project Events
Project Hooks
Project Import
System Hooks

groupimport

 Duplicates / Review

Resources

Go Proxy
Group Debian Distributions
Packages: Covers all package types: Maven, NPM, NuGet, PyPI, Helm, Cargo, Conan, Debian, RPM, RubyGem, Composer, Go, Generic, ML Model, Terraform Module, and Dependency Proxy packages*
Pages
Pages Domains
Project Debian Distributions
Ruby Gems*
Virtual Registry Maven Cache Entries*
Virtual Registry Maven Endpoints*
Virtual Registry Maven Registries*
Virtual Registry Maven Registry Upstreams*
Virtual Registry Maven Upstreams

grouppackage registry

 Duplicates / Review

(GA) Wave 4 - Target Completion by %18.11 / 100%
Resources Team REST Milestone Complete GraphQL Milestone Complete Notes

Resources

Service Ping
Usage Data

groupanalytics instrumentation

 Review - Internal only?

Resources

Batched Background Migrations
Database Migrations

groupdatabase frameworks

Resources

Sidekiq Metrics
Sidekiq Queue Management*
Sidekiq Queues

~"group::durability"

 Review / Internal only?

Resources

Notification Settings
Todos

groupengagement

Resources

Geo Nodes
Geo Replication
Geo Sites

groupgeo

Resources

Search
Search Index Migrations
Zoekt Search

groupglobal search

Resources

Experiments
ML Models
MLflow Artifacts
MLflow Artifacts Entrypoint
MLflow Entrypoint
MLflow Experiments
MLflow Model Versions
MLflow Registered Models
MLflow Runs

groupmlops

Resources

 CI Minutes

groupprovision

 Internal only?

Resources

 GitLab Subscriptions

groupsubscription management

 Internal only?

Resources

 License

grouputilization

 Internal only?

#573648 (comment 2879160289)

groupfulfillment platform

|

Edited by Joe Randazzo