GitLab Role - How to Define Permissions

GitLab Roles – How to define Permissions

GitLab Roles allows us to manage and create permission around Users and Groups. You will also understand how GitLab organize the different level of permissions and how you can choose the best for you or your team.

Also, let’s go deep into best practices that you apply on GitLab to define the Roles.

Everything documented in this article is valid for all tiers of GitLab.

GitLab Roles

First, let’s see the GitLab role list and be aware of all the different levels of permission available.

The list below follows a logical order, from fewer privileges to the highest privileges:

1 – Guest

2 – Reporter

3 – Developer

4 – Maintainer

5 – Owner

Guest Role on GitLab

The Guest Role on Gitlab is the role with fewer privileges and has a very limited view. Also, Guest users can merely view the personal issues they created themselves or are assigned to.

Reporter Role on GitLab

The user assigned to the Reporter role has full-view and read-only access. The Reporter user can also comment on Projects, like commits. Also, create milestones.

Both Guest and Reporter can’t run CI Job.

Developer Role on GitLab

The developer role is the first level where the permission level gets write access like commit and manage branches and tags.

Also, the Developer user can:

– execute CI Jobs.

– Push new Branches

– Create new Tags

Rename a Branch on GitLab

– Submit Merge Request

– Merge Request Approval (Depends on Project Settings)

A developer can’t manage Projects like giving someone access. Also, you can’t delete o create projects.

Maintainer Role on GitLab

The user with the Maintainer role can perform most of the actions with a specific Project.

Also, the Maintainer Role can perform everything that the Developer Role does, plus the following list below:

 – Assign new members

 – Manage GitLab Pages

– Manage Clusters  

– Merge Request Approval (Depends on Project Settings)

– Rename Project

The Owner Role on GitLab

When you create a new project on GitLab, your user is configured as an Owner automatically. It means that you have full access to all features of that project.

Leave Project As Owner

The GitLab allows the Owners to leave (not be a member) their project. To leave your project, you can access the Member session from the project and click on the red button, like the screenshot below:

GitLab Role - Leave project as owner
GitLab Role – Leave project as owner

Administrator Role

The Administrator Role is a special role not managed on Project or Group Level. The Users with the Administrator Role have full access to the whole GitLab server.

Also:

  • Clone any project
  • Create/Rename/Delete any project
  • Manage Users account
  • Manage the GitLab Runners
  • Manage any Configuration on GitLab.

How to assign a User to an Administrator Role on GitLab?

Assigning an Administrator Role to an existing user, it’s pretty easy. First, however, you should be an Administrator.

You need to edit the user, and you will see the session “Access”, like the screenshot below:

GitLab Role - Assign User as Admin
GitLab Role – Assign User as Admin

GitLab Roles Explained

Take advantage of Groups.

Let’s see some best practices where using a Group allows us to follow a standard and make it easier to assign a new member to a Group.

Let’s look at one scenario in which one company has two groups of employees: Developers and Operations (DevOps)

The company has thousands of projects, and the permissions should always follow the same level for any person inside the same group because the company has a constant audit process and must follow all rules.

The best practice is to create one GitLab Group, one for Developers and another for Operations.

Note that creating a group on GitLab is not limited to creating a namespace for projects to organize them inside of it. 

So, it means you can create a group with no project inside of it.

In this case, the group goal is only to group users logically.

Why? What are the advantages of having such a Group with no project? 

Simple, let me give you more details.

The GitLab allows you to assign a group as a single member, see the screenshot below:

GitLab Role - Assign Group to a Project
GitLab Role – Assign Group to a Project

Assigning new members to a group is the same process as assigning for a regular project on the member’s session.

Let’s list some advantages of this approach:

1 – When you assign the group to all projects needed, you have the following benefits:

  • New Members assigned to the group will automatically have access to all projects that others member from the same group have.
  • You can choose the “Max Access Level” for the whole group at once. 

Hierarquical Permission on Gitlab

One consideration worth highlighting is that once you give user access directly to a group, it means if you try to decrease the privileges of that user for projects inner this group, the highest privilege will prevail.

For more information, access here.

Leave a Comment

Your email address will not be published. Required fields are marked *

Free PDF with a useful Mind Map that illustrates everything you should know about AWS VPC in a single view.