diff options
Diffstat (limited to 'doc/user/permissions.md')
-rw-r--r-- | doc/user/permissions.md | 54 |
1 files changed, 35 insertions, 19 deletions
diff --git a/doc/user/permissions.md b/doc/user/permissions.md index 10147e7f69c..eb79d5099eb 100644 --- a/doc/user/permissions.md +++ b/doc/user/permissions.md @@ -33,8 +33,13 @@ usernames. A GitLab administrator can configure the GitLab instance to ## Project members permissions -The Owner role is only available at the group or personal namespace level (and for instance administrators) and is inherited by its projects. -While Maintainer is the highest project-level role, some actions can only be performed by a personal namespace or group owner, or an instance administrator, who receives all permissions. +A user's role determines what permissions they have on a project. The Owner role provides all permissions but is +available only: + +- For group owners. The role is inherited for a group's projects. +- For Administrators. + +Personal namespace owners have the same permissions as an Owner, but are displayed with the Maintainer role on projects created in their personal namespace. For more information, see [projects members documentation](project/members/index.md). The following table lists project permissions available for each role: @@ -70,7 +75,7 @@ The following table lists project permissions available for each role: | [CI/CD](../ci/index.md):<br>Manage job triggers | | | | ✓ | ✓ | | [CI/CD](../ci/index.md):<br>Manage runners | | | | ✓ | ✓ | | [CI/CD](../ci/index.md):<br>Run Web IDE's Interactive Web Terminals **(ULTIMATE ONLY)** | | | | ✓ | ✓ | -| [CI/CD](../ci/index.md):<br>Use [environment terminals](../ci/environments/index.md#web-terminals) | | | | ✓ | ✓ | +| [CI/CD](../ci/index.md):<br>Use [environment terminals](../ci/environments/index.md#web-terminals-deprecated) | | | | ✓ | ✓ | | [CI/CD](../ci/index.md):<br>Delete pipelines | | | | | ✓ | | [Clusters](infrastructure/clusters/index.md):<br>View [pod logs](project/clusters/kubernetes_pod_logs.md) | | | ✓ | ✓ | ✓ | | [Clusters](infrastructure/clusters/index.md):<br>Manage clusters | | | | ✓ | ✓ | @@ -81,6 +86,15 @@ The following table lists project permissions available for each role: | [GitLab Pages](project/pages/index.md):<br>Manage | | | | ✓ | ✓ | | [GitLab Pages](project/pages/index.md):<br>Manage GitLab Pages domains and certificates | | | | ✓ | ✓ | | [GitLab Pages](project/pages/index.md):<br>Remove GitLab Pages | | | | ✓ | ✓ | +| [Incident Management](../operations/incident_management/index.md):<br>View [alerts](../operations/incident_management/alerts.md) | | ✓ | ✓ | ✓ | ✓ | +| [Incident Management](../operations/incident_management/index.md):<br>Assign an alert | ✓| ✓ | ✓ | ✓ | ✓ | +| [Incident Management](../operations/incident_management/index.md):<br>View [incident](../operations/incident_management/incidents.md) | ✓| ✓ | ✓ | ✓ | ✓ | +| [Incident Management](../operations/incident_management/index.md):<br>Create [incident](../operations/incident_management/incidents.md) | (*17*) | ✓ | ✓ | ✓ | ✓ | +| [Incident Management](../operations/incident_management/index.md):<br>View [on-call schedules](../operations/incident_management/oncall_schedules.md) | | ✓ | ✓ | ✓ | ✓ | +| [Incident Management](../operations/incident_management/index.md):<br>Participate in on-call rotation | ✓| ✓ | ✓ | ✓ | ✓ | +| [Incident Management](../operations/incident_management/index.md):<br>View [escalation policies](../operations/incident_management/escalation_policies.md) | | ✓ | ✓ | ✓ | ✓ | +| [Incident Management](../operations/incident_management/index.md):<br>Manage [on-call schedules](../operations/incident_management/oncall_schedules.md) | | | | ✓ | ✓ | +| [Incident Management](../operations/incident_management/index.md):<br>Manage [escalation policies](../operations/incident_management/escalation_policies.md)| | | | ✓ | ✓ | | [Issues](project/issues/index.md):<br>Add Labels | ✓ (*16*) | ✓ | ✓ | ✓ | ✓ | | [Issues](project/issues/index.md):<br>Assign | ✓ (*16*) | ✓ | ✓ | ✓ | ✓ | | [Issues](project/issues/index.md):<br>Create | ✓ | ✓ | ✓ | ✓ | ✓ | @@ -140,7 +154,7 @@ The following table lists project permissions available for each role: | [Projects](project/index.md):<br>Add new team members | | | | ✓ | ✓ | | [Projects](project/index.md):<br>Change [project features visibility](../public_access/public_access.md) level | | | | ✓ (14) | ✓ | | [Projects](project/index.md):<br>Configure [webhooks](project/integrations/webhooks.md) | | | | ✓ | ✓ | -| [Projects](project/index.md):<br>Delete [wiki](project/wiki/index.md) pages | | | | ✓ | ✓ | +| [Projects](project/index.md):<br>Delete [wiki](project/wiki/index.md) pages | | | ✓ | ✓ | ✓ | | [Projects](project/index.md):<br>Edit comments (posted by any user) | | | | ✓ | ✓ | | [Projects](project/index.md):<br>Edit project badges | | | | ✓ | ✓ | | [Projects](project/index.md):<br>Edit project settings | | | | ✓ | ✓ | @@ -169,7 +183,7 @@ The following table lists project permissions available for each role: | [Repository](project/repository/index.md):<br>Enable or disable branch protection | | | | ✓ | ✓ | | [Repository](project/repository/index.md):<br>Enable or disable tag protection | | | | ✓ | ✓ | | [Repository](project/repository/index.md):<br>Manage [push rules](../push_rules/push_rules.md) | | | | ✓ | ✓ | -| [Repository](project/repository/index.md):<br>Push to protected branches | | | | ✓ | ✓ | +| [Repository](project/repository/index.md):<br>Push to protected branches (*5*) | | | | ✓ | ✓ | | [Repository](project/repository/index.md):<br>Turn on or off protected branch push for developers | | | | ✓ | ✓ | | [Repository](project/repository/index.md):<br>Remove fork relationship | | | | | ✓ | | [Repository](project/repository/index.md):<br>Force push to protected branches (*4*) | | | | | | @@ -202,7 +216,7 @@ The following table lists project permissions available for each role: 1. If **Public pipelines** is enabled in **Project Settings > CI/CD**. 1. Not allowed for Guest, Reporter, Developer, Maintainer, or Owner. See [protected branches](project/protected_branches.md). 1. If the [branch is protected](project/protected_branches.md), this depends on the access Developers and Maintainers are given. -1. Guest users can access GitLab [**Releases**](project/releases/index.md) for downloading assets but are not allowed to download the source code nor see repository information like tags and commits. +1. Guest users can access GitLab [**Releases**](project/releases/index.md) for downloading assets but are not allowed to download the source code nor see [repository information like commits and release evidence](project/releases/index.md#view-a-release-and-download-assets). 1. Actions are limited only to records owned (referenced) by user. 1. When [Share Group Lock](group/index.md#prevent-a-project-from-being-shared-with-groups) is enabled the project can't be shared with other groups. It does not affect group with group sharing. 1. For information on eligible approvers for merge requests, see @@ -216,7 +230,9 @@ The following table lists project permissions available for each role: [project visibility](../public_access/public_access.md) is set to private. 1. Attached design files are moved together with the issue even if the user doesn't have the Developer role. -1. Guest users can set metadata (for example, labels, assignees, or milestones) when creating an issue. +1. Guest users can only set metadata (for example, labels, assignees, or milestones) + when creating an issue. They cannot change the metadata on existing issues. +1. In GitLab 14.5 or later, Guests are not allowed to [create incidents](../operations/incident_management/incidents.md#incident-creation). ## Project features permissions @@ -305,7 +321,7 @@ The following table lists group permissions available for each role: | Use security dashboard **(ULTIMATE)** | | | ✓ | ✓ | ✓ | | View group Audit Events | | | ✓ (7) | ✓ (7) | ✓ | | Create subgroup | | | | ✓ (1) | ✓ | -| Delete group wiki pages **(PREMIUM)** | | | | ✓ | ✓ | +| Delete group wiki pages **(PREMIUM)** | | | ✓ | ✓ | ✓ | | Edit epic comments (posted by any user) **(ULTIMATE)** | | | | ✓ (2) | ✓ (2) | | List group deploy tokens | | | | ✓ | ✓ | | Manage [group push rules](group/index.md#group-push-rules) **(PREMIUM)** | | | | ✓ | ✓ | @@ -384,8 +400,10 @@ An administrator can flag a user as external by either of the following methods: 1. On the left sidebar, select **Overview > Users** to create a new user or edit an existing one. There, you can find the option to flag the user as external. -Additionally users can be set as external users using [SAML groups](../integration/saml.md#external-groups) -and [LDAP groups](../administration/auth/ldap/index.md#external-groups). +Additionally users can be set as external users using: + +- [SAML groups](../integration/saml.md#external-groups). +- [LDAP groups](../administration/auth/ldap/ldap_synchronization.md#external-groups). ### Setting new users to external @@ -416,7 +434,7 @@ Be aware that this regex could lead to a ## Free Guest users **(ULTIMATE)** -When a user is given Guest permissions on a project, group, or both, and holds no +When a user is given the Guest role on a project, group, or both, and holds no higher permission level on any other project or group on the GitLab instance, the user is considered a guest user by GitLab and does not consume a license seat. There is no other specific "guest" designation for newly created users. @@ -466,22 +484,20 @@ subscriptions. Project features like wiki and issues can be hidden from users depending on which visibility level you select on project settings. -- Disabled: disabled for everyone -- Only team members: only team members will see even if your project is public or internal -- Everyone with access: everyone can see depending on your project visibility level -- Everyone: enabled for everyone (only available for GitLab Pages) +- Disabled: disabled for everyone. +- Only team members: only team members can see, even if your project is public or internal. +- Everyone with access: everyone can see depending on your project visibility level. +- Everyone: enabled for everyone (only available for GitLab Pages). ## GitLab CI/CD permissions -GitLab CI/CD permissions rely on the role the user has in GitLab. There are four -roles: +GitLab CI/CD permissions rely on the role the user has in GitLab: -- Administrator - Maintainer - Developer - Guest/Reporter -The Administrator role can perform any action on GitLab CI/CD in scope of the GitLab +GitLab administrators can perform any action on GitLab CI/CD in scope of the GitLab instance and project. | Action | Guest, Reporter | Developer |Maintainer| Administrator | |