Draft: Create GraphQL query to get a list of permissions for fine-grained PATs (!209580) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Handbook for the granular personal access tokens effort - https://internal.gitlab.com/handbook/engineering/development/sec/govern/authorization
This MR create a GraphQL endpoint to get a list of all the permissions that can be applied to fine-grained personal access tokens.
The endpoint is behind the fine_grained_personal_access_tokens feature flag
It also introduces a include_for_personal_access_tokens to the files defined in config/auth/permissions because the same folder is used to add permissions for PATs and DeclarativePolicy and we want to control which permissions are exposed for PATs.

How to set up and validate locally

Enable feature flag in the rails console:

Feature.enable(:fine_grained_personal_access_tokens)

Log-in as any user and navigate to GraphQL explorer on /graphql-explorer and run the following query:

query {
  personalAccessTokenPermissions {
    name
    description
    action
    resource
    featureCategory
  }
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #572946

Edited Oct 23, 2025 by Hinam Mehra

Draft: Create GraphQL query to get a list of permissions for fine-grained PATs

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports