### **Problem to solve** Customers often have to set their users to a maintainer or owner to manage sensitive repository actions. This ends up having the user as overprivileged due to being able to manage other group or project settings. These granular access requests can range from isolating code between internal/external users to managing rules for a project. ### **Proposal** **Iteration 1 - Enable organizations to reduce the number of owners and maintainers in their environment.** | Resource | Actions | Group Scope | Project Scope | |----------|---------|------------:|---------------| | admin_deploy_tokens | See issue: https://gitlab.com/gitlab-org/gitlab/-/issues/448843 | Y | Y | | admin_protected_branches | See issue: https://gitlab.com/gitlab-org/gitlab/-/issues/448823 | N/A | Yes | | admin_push_rules | See issue: https://gitlab.com/gitlab-org/gitlab/-/issues/421786 | Yes | Yes | | admin_merge_request_settings | See issue: https://gitlab.com/gitlab-org/gitlab/-/issues/443235 | Yes | Yes | **Iteration 2- Consistent CRUD Pattern** See [meta issue](https://gitlab.com/gitlab-org/gitlab/-/issues/440701 "Permissions map to a Consistent CRUD Verb Pattern") for CRUD verb patterns (Pending Research) * Manage: Includes Write/View/Delete * Write: Includes View * Delete: Includes View <table> <tr> <th>Resource</th> <th>Manage</th> <th>Write</th> <th>View</th> <th>Delete</th> <th>Milestone/Issue</th> </tr> <tr> <td>Repository</td> <td> * Full CRUD on repository code including sensitive objects: * Merge Requests * Protected Tags * Protected Branches * Push to protected branches </td> <td> * Push to non-protected branches * Create and update a MR * Create and update snippets * Clone </td> <td> * View code * Pull code * View branches * View commit status * View merge requests </td> <td> * Delete non-protected branches * Delete unprotected tags </td> <td> </td> </tr> </table> | Default Condition | Description | |-------------------|-------------| | Force push protected branches | No role. Use branch protection. | | Force push unprotected branches | Manage, Write | | Labels | Labels can be assigned. | | Public vs Internal/Private | | | Threads | | | View vs download | | | Views/CLI | Manage | Write | View | Delete | |-----------|--------|-------|------|--------| | Merge Requests | | | | | | Web Editor | | | | | | Command Line | | | | | | IDE | | | | | ### **Permutation Stress Test** * A user can manage approval rules, branch settings, or push rules without becoming maintainer. * Guest role can view MRs ### **User Persona Modeling** ### **Dependencies** * Labels: Creation and managing labels in the MR metadata will be limited based on label permission. * Notifications * TODOs * Comments * Merge requests and resource * Charge on guest users ### **Evidence** * https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1400795515 * https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1550198109 * https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1570435642 * https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1747246360 * https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1752775569 * https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1753476293 * https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1570435642 * https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1687744056 * https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1653258295 * https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1695016006 * https://gitlab.com/groups/gitlab-org/-/epics/4035#note_1388981886 * https://gitlab.com/groups/gitlab-org/-/epics/4035#note_1600469949 * https://gitlab.com/groups/gitlab-org/-/epics/4035#note_821611822 * https://gitlab.com/groups/gitlab-org/-/epics/4035#note_932442185 * https://gitlab.com/gitlab-org/gitlab/-/issues/432731 ### **Alignment Review** * [ ] \[Create PMs\]: Product Manager * [ ] \[Create Designer\]: Product Designer * [ ] \[Authorization Team\]: PM, EM, PD ### Resources *