Security Manager Default Role
# Release notes
The Security Manager role is now generally available, providing comprehensive access to security features including vulnerability management, security dashboards, policy configuration, and compliance tools. Security teams no longer need the Developer role or the Maintainer role to access security features, eliminating over-privileging concerns while maintaining separation of duties.
Users with the Security Manager role have the following access:
- Vulnerability management: View, triage, and manage vulnerabilities across groups and projects.
- Security policies: View and manage security policies at the group level, and contribute to policy YAML at the project level.
- Security inventory: View scanner coverage across all projects in a group.
- Security configuration profiles: View security configuration profiles for groups and projects.
- Compliance tools: View and manage audit events, compliance center, compliance frameworks, compliance status reports, and dependency lists at both group and project levels.
- Secret push protection: Enable secret push protection for a group and project.
- On-demand DAST: Create and run on-demand DAST scans for a project.
- Runner visibility: View runners for a group and project.
To get started, go to a group and select **Manage > Members** to invite and assign members to the Security Manager role.
> **Note:** The source of truth for this release note has moved to https://gitlab.com/gitlab-org/gitlab/-/merge_requests/239318. Edit the MR directly to make changes.
# DRIs
- **PM**: @m-omokoh
- **EM**: @ajaythomasinc
- **Eng IC**: @jayswain
- **UX/PDM**: ?
# Requirements
* **Role Name:** `Security Manager`
* **Availability**: Free, Premium, Ultimate
# Group Permissions:
<details>
<summary>
[Analytics group permissions](https://docs.gitlab.com/user/permissions/#analytics-group-permissions) - Same as Reporter
</summary>
| Action | Guest | Planner | Reporter | Developer | Security Manager | Maintainer | Owner |
|--------|:-----:|:-------:|:--------:|:---------:|:----------------:|:----------:|:-----:|
| View insights | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| View insights charts | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| View issue analytics | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| View contribution analytics | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| View value stream analytics | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| View productivity analytics | | | ✓ | ✓ | ✓ | ✓ | ✓ |
| View group DevOps adoption | | | ✓ | ✓ | ✓ | ✓ | ✓ |
| View metrics dashboard annotations | | | ✓ | ✓ | ✓ | ✓ | ✓ |
| Manage metrics dashboard annotations | | | | ✓ | | ✓ | ✓ |
</details>
<details>
<summary>
[Application security group permissions](https://docs.gitlab.com/user/permissions/#application-security-group-permissions) - Same as Owner
</summary>
| Action | Guest | Planner | Reporter | Developer | Security Manager | Maintainer | Owner |
|--------|:-----:|:-------:|:--------:|:---------:|:----------------:|:----------:|:-----:|
| View [dependency list](application_security/dependency_list/_index.md) | | | | ✓ | ✓ | ✓ | ✓ |
| View [vulnerability report](application_security/vulnerability_report/_index.md) | | | | ✓ | ✓ | ✓ | ✓ |
| View [security dashboard](application_security/security_dashboard/_index.md) | | | | ✓ | ✓ | ✓ | ✓ |
| Create [security policy project](application_security/policies/_index.md) | | | | | ✓ | | ✓ |
| Assign [security policy project](application_security/policies/_index.md) | | | | | ✓ | | ✓ |
| Manage [security policy project](application_security/policies/_index.md) | | | | | ✓ | | ✓ |
| View security policies | | | | ✓ | ✓ | ✓ | ✓ |
| View security inventory | | | | ✓ | ✓ | ✓ | ✓ |
| Manage security attributes | | | | | ✓ | | ✓ |
| View security attributes | | | | ✓ | ✓ | ✓ | ✓ |
</details>
<details>
<summary>
[CI/CD group permissions ](https://docs.gitlab.com/user/permissions/#cicd-group-permissions)- None
</summary>
| Action | Guest | Planner | Reporter | Developer | Security Manager | Maintainer | Owner |
|--------|:-----:|:-------:|:--------:|:---------:|:----------------:|:----------:|:-----:|
| View group runners | | | | | ✓ | ✓ | ✓ |
| Manage group-level Kubernetes cluster | | | | | | ✓ | ✓ |
| Manage group runners | | | | | | | ✓ |
| Manage group level CI/CD variables | | | | | | | ✓ |
| Manage group protected environments | | | | | | | ✓ |
</details>
<details>
<summary>
[Compliance group permissions](https://docs.gitlab.com/user/permissions/#cicd-group-permissions) - Same as Owner
</summary>
| Action | Guest | Planner | Reporter | Developer | Security Manager | Maintainer | Owner |
|--------|:-----:|:-------:|:--------:|:---------:|:----------------:|:----------:|:-----:|
| View audit events <sup>1</sup> | | | | ✓ | ✓ | ✓ | ✓ |
| View licenses in [dependency list](application_security/dependency_list/_index.md) | | | | ✓ | ✓ | ✓ | ✓ |
| View compliance center | | | | | ✓ | | ✓ |
| Manage compliance frameworks | | | | | ✓ | | ✓ |
| Assign compliance frameworks to projects | | | | | ✓ | | ✓ |
| Manage audit streams | | | | | ✓ | | ✓ |
</details>
_Note: This epic description was reconstructed after an automated editing error. The full Group and Project permission tables, Problem to solve, Voice of the Customer, Proposals, and Additional Resources sections should be restored from the work item version history (the version timestamped before 2026-06-04 18:00 UTC). The "## Release notes" section above is current and correct._
> [!important]
>
> This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
> [!important]
> This page may contain information related to upcoming products, features and functionality.
> It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes.
> Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
> [!important]
> This page may contain information related to upcoming products, features and functionality.
> It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes.
> Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
epic