GitLab Roles allows us to manage and create permission around Users and Groups. You will also understand how GitLab organize the different level of permissions and how you can choose the best for you or your team.
Also, let’s go deep into best practices that you apply on GitLab to define the Roles.
Everything documented in this article is valid for all tiers of GitLab.
GitLab Roles
First, let’s see the GitLab role list and be aware of all the different levels of permission available.
The list below follows a logical order, from fewer privileges to the highest privileges:
1 – Guest
2 – Reporter
3 – Developer
4 – Maintainer
5 – Owner
Guest Role on GitLab
The Guest Role on Gitlab is the role with fewer privileges and has a very limited view. Also, Guest users can merely view the personal issues they created themselves or are assigned to.
Reporter Role on GitLab
The user assigned to the Reporter role has full-view and read-only access. The Reporter user can also comment on Projects, like commits. Also, create milestones.
Both Guest and Reporter can’t run CI Job.
Developer Role on GitLab
The developer role is the first level where the permission level gets write access like commit and manage branches and tags.
Also, the Developer user can:
– execute CI Jobs.
– Push new Branches
– Create new Tags
– Submit Merge Request
– Merge Request Approval (Depends on Project Settings)
A developer can’t manage Projects like giving someone access. Also, you can’t delete o create projects.
Maintainer Role on GitLab
The user with the Maintainer role can perform most of the actions with a specific Project.
Also, the Maintainer Role can perform everything that the Developer Role does, plus the following list below:
– Assign new members
– Manage GitLab Pages
– Manage Clusters
– Merge Request Approval (Depends on Project Settings)
– Rename Project
The Owner Role on GitLab
When you create a new project on GitLab, your user is configured as an Owner automatically. It means that you have full access to all features of that project.
Leave Project As Owner
The GitLab allows the Owners to leave (not be a member) their project. To leave your project, you can access the Member session from the project and click on the red button, like the screenshot below:
Administrator Role
The Administrator Role is a special role not managed on Project or Group Level. The Users with the Administrator Role have full access to the whole GitLab server.
Also:
- Clone any project
- Create/Rename/Delete any project
- Manage Users account
- Manage the GitLab Runners
- Manage any Configuration on GitLab.
How to assign a User to an Administrator Role on GitLab?
Assigning an Administrator Role to an existing user, it’s pretty easy. First, however, you should be an Administrator.
You need to edit the user, and you will see the session “Access”, like the screenshot below:
GitLab Roles Explained
Take advantage of Groups.
Let’s see some best practices where using a Group allows us to follow a standard and make it easier to assign a new member to a Group.
Let’s look at one scenario in which one company has two groups of employees: Developers and Operations (DevOps)
The company has thousands of projects, and the permissions should always follow the same level for any person inside the same group because the company has a constant audit process and must follow all rules.
The best practice is to create one GitLab Group, one for Developers and another for Operations.
Note that creating a group on GitLab is not limited to creating a namespace for projects to organize them inside of it.
So, it means you can create a group with no project inside of it.
In this case, the group goal is only to group users logically.
Why? What are the advantages of having such a Group with no project?
Simple, let me give you more details.
The GitLab allows you to assign a group as a single member, see the screenshot below:
Assigning new members to a group is the same process as assigning for a regular project on the member’s session.
Let’s list some advantages of this approach:
1 – When you assign the group to all projects needed, you have the following benefits:
- New Members assigned to the group will automatically have access to all projects that others member from the same group have.
- You can choose the “Max Access Level” for the whole group at once.
Hierarquical Permission on Gitlab
One consideration worth highlighting is that once you give user access directly to a group, it means if you try to decrease the privileges of that user for projects inner this group, the highest privilege will prevail.
For more information, access here.
