Roles are embedded in policy files, and it is difficult to understand what permissions are assigned to any given role. Extract all permissions for a default role that are relevant to build a custom role (with the existing custom abilities) This lets us determine what permissions any role has, which will be helpful: 1. for custom roles to build on top of 2. to prevent privilege escalation issues when adding members 3. make it easier to migrate to an external service when that time comes. ADR https://gitlab.com/gitlab-org/architecture/auth-architecture/design-doc/-/merge_requests/87 PoC for a potential solution: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/191566/ Note: When roles are extracted we should lint to ensure that any permission in a role is defined in the yaml catalog