Build Your Own Role Survey

JavaScript isn't enabled in your browser, so this file can't be opened. Enable and reload.

This survey is to understand how you would build a least privilege user in GitLab. We remove the construct of default roles (Developer/Maintainer/Owner) and would like to understand what permissions are needed for your users. Think of these permissions as lego blocks - we want to see what you come up with!

Each permission group is organized by a common resource in GitLab (Repository, CI/CD, Packages) with its own CRUD model.

Permission/Verbs:

Manage: Full CRUD* operations including the settings of that resource. This permission would be given to a select few such as a department lead. If you select "Manage", you assume Write/View/Delete.

Write: Ability to create and update the resource. If you select "Write", you assume view.

View: Ability to read the resource such as lists or objects.

Delete: Ability to delete the respective resource. If you select "Delete", you assume view.

* CRUD: Create, Read, Update, Delete

README: Please fill this survey out as many times as there are roles in your organization. For example, you may have 6 individual submissions that create a role for each:

- Engineers

- Engineer Leads

- Product Managers

- Security and Compliance Manager

- Release Engineer

- Admin

Enter the name of the organization. If you prefer to remain anonymous, use the same fake name for each submission.

Enter the name of your role and a short description of your responsibilities as they relate to GitLab.

Permission Descriptions

README: Here is the permissions breakdown with the schema for each resource.

PRO-TIP: If it would be easier to put the permissions in a separate view while filling out the survey instead of scrolling, here is a markdown version to view in a separate screen.

Project Planning Permissions

Manage: CRUD operations on work items including epics, issues, OKRs, boards, labels, milestones, iterations, and wiki along with managing settings

Write: Ability to create and update epics, issues, OKRs, and tasks. Set up iterations, milestones and wikis. Edit and transition work items on the board

View: Ability to view epics and issues along with associated metadata

Delete: Ability to delete work items including epics, issues, OKRs, boards, labels, milestones, iterations, and wikis

Repository Permissions

Manage: CRUD operations on code, MRs, protected tags, protected branches, branch protection, push rules, and forks. Settings include repository, MR configurations, and approval rules

Write: Ability to push code, create branches, tags, and run pipelines. Open and contribute to MRs.

View: Ability to view code, MRs, branches, tags, and commit status

Delete: Ability to delete unprotected branches, unprotected tags

Package Permissions

Manage: CRUD Operations on objects including Registries, Proxy, Cleanup Policies along with managing the settings.

Write: Ability to push a container, package, or terraform module to registry

View: Ability to view, retrieve, and pull registry objects and metadata on repositories and images

Delete: Ability to delete registry objects and metadata

CI/CD - General Permissions

Manage - Ability to manage settings including Protected Environments, Secure Files, Artifacts, Rollbacks, Deploy Freezes, CI_JOB_TOKEN access, Pipeline Tokens, and Pipeline Subscriptions

Write: Ability to retry jobs, cancel jobs. Ability to stop environments.

View: Ability to view pipelines, jobs, job logs, artifacts, environments, pipeline editor, Secure files and terraform state files.

Delete: Ability to delete pipelines, jobs, artifacts environments, and terraform state files.

CI/CD - Variable Permissions

Manage: CRUD operations on CI/CD Variables

Write: Ability to add or update variables

View: Ability to view variables

Delete: Ability to delete variables

CI/CD - Runner Permissions

Manage: CRUD Operations including ability to register, remove, view Runner fleet along with managing Runner settings

Write: Ability to register a Runner and clear cache.

View: Ability to view Runner fleet

Delete: Ability to delete a Runner

CI/CD - Agent Permissions

Manage: CRUD Operations on Kubernetes Agents along with managing the settings

Write: Ability to deploy to a cluster

View: Ability to view clusters and resources

Delete: Ability to delete an agent

Application Security Permissions

Manage: CRUD Operations on vulnerabilities, security policies and linking, along with security configurations for SAST and DAST

Write: Ability to create a security policy. Ability to manually create a vulnerability

View: Ability to view vulnerabilities, dependencies, and dashboard

Delete: Delete security policies and links. Remove security configurations

Compliance Permissions

Manage: CRUD operations on compliance frameworks, license scanning exceptions, and associated settings.

Write: Ability to assign a framework to a project

View: Ability to view adherence report and audit events

Delete: Ability to delete a framework

Analytics Permissions

Manage: CRUD operations on analytics view along with ability to change settings

Write: Ability to add and update a dashboard

View: Ability to view all analytic dashboards

Delete: Ability to delete dashboards

Monitoring Permissions

Manage: CRUD operations for error tracking, alerts, incident management, and status page along with managing respective settings

Write: Ability to contribute to discussions on errors, alerts, and incidents

View: Ability to view errors, alerts, incidents, and status page

Delete: Ability to delete errors, alerts, and incidents

User Management Permissions

Manage: CRUD operations on users and custom roles. Also ability to manage application settings include SAML SSO Setup, SAML Linking, Domain Verification

Write: Ability to add a member

View: Ability to view members

Delete: Ability to remove a member

Group Permissions

Manage: Ability to manage general group settings including visibility and group features such as applications, integrations, webhooks, access tokens, and billing. Also ability to export, change path, or transfer group

Delete: Ability to delete a group

Project Permissions

Manage: Ability to manage general project settings including visibility and project features such as integrations, webhooks, and access tokens. Also ability to export, change path, or transfer project

Write: Ability to comment on project objects including MRs, epics, issues, and designs

Delete: Ability to delete or archive a project

Permission Selection

Manage

Write

View

Delete

Project Planning

Repository

Packages

CI/CD - General

CI/CD - Variables

CI/CD - Runners

CI/CD - Agents

Application Security

Compliance

Monitoring

Analytics

User Management

Groups

Projects

Please add any feedback on grouping, granularity requests, and missing permissions here. If more granularity is required, please expand on the use case.

I think having a consistent CRUD model will make it easier to manage resource permissions. (Ignore if previously answered)

Strongly Disagree

Strongly Agree

Clear selection

I think associating the "Manage" permission with updating settings of a resource will make it easier to isolate access. (Ignore if previously answered)

Strongly Disagree

Strongly Agree

Clear selection

I think having a predefined template or permission sets based on Personas will make it easier to fill out permissions. (Ignore if previously answered)

Strongly Disagree

Strongly Agree

Clear selection

What challenges do you have with existing permissions in GitLab? This could be default roles, custom roles, inheritance, and group or project settings. (Ignore if previously answered)

Please add any other suggestions and input below. (Ignore if previously answered)

Submit

Clear form

Never submit passwords through Google Forms.

This form was created inside of GitLab. Report Abuse

Forms