Fine-grained permissions for personal access tokens in the GraphQL API

<!-- This documentation is auto-generated by a Rake task. Please do not edit this file directly. To update this file, run: `bundle exec rake gitlab:permissions:graphql:compile_docs`. To make changes to the output of the Rake task, edit `tooling/authz/permissions/docs/templates/granular_pat_graphql_fields.md.erb`. -->

{{< details >}}

• Tier: Free, Premium, Ultimate
• Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
• Status: Beta

{{< /details >}}

Fine-grained personal access tokens scope access to specific permissions in the GraphQL API. To create a fine-grained personal access token, see Fine-grained permissions for personal access tokens.

Available fine-grained permissions

Fine-grained personal access tokens can access the following GraphQL types, mutations, and fields:

Application Security resources

Dependency

Grants the ability to read dependencies.

Action	Access	Kind	Name
Read	Project	Type	DependencyLocation

Pipeline Execution Project Schedule

Grants the ability to read pipeline execution project schedules.

Action	Access	Kind	Name
Read	Project	Type	PipelineExecutionProjectSchedule

Vulnerability

Grants the ability to create, read, and update vulnerabilities.

Action	Access	Kind	Name
Create	Project	Mutation	VulnerabilityCreate
Read	Project	Type	CountableVulnerability
Read	Project	Type	Vulnerability
Update	Project	Mutation	VulnerabilityConfirm
Update	Project	Mutation	VulnerabilityDismiss
Update	Project	Mutation	VulnerabilityResolve
Update	Project	Mutation	VulnerabilityRevertToDetected

CI/CD resources

CI Config

Grants the ability to read and validate CI/CD configuration.

Action	Access	Kind	Name
Validate	Project	Mutation	CiLint

CI/CD Setting

Grants the ability to update CI/CD settings.

Action	Access	Kind	Name
Update	Project	Mutation	ProjectCiCdSettingsUpdate
Update	Group	Mutation	SafeDisablePipelineVariables

Catalog Resource

Grants the ability to create and delete CI catalog resources.

Action	Access	Kind	Name
Create	Project	Mutation	CatalogResourcesCreate
Delete	Project	Mutation	CatalogResourcesDestroy

Cd Application

Grants the ability to create and read cd applications.

Action	Access	Kind	Name
Create	Group	Mutation	CdApplicationCreate
Create	Instance	Mutation	CdApplicationCreate
Read	Group	Type	CdApplication
Read	Instance	Type	CdApplication

Cd Environment

Grants the ability to create and read cd environments.

Action	Access	Kind	Name
Create	Group	Mutation	CdEnvironmentCreate
Create	Instance	Mutation	CdEnvironmentCreate
Read	Group	Type	CdEnvironment
Read	Instance	Type	CdEnvironment

Cluster Agent

Grants the ability to create, delete, and read cluster agents.

Action	Access	Kind	Name
Create	Project	Mutation	CreateClusterAgent
Delete	Project	Mutation	ClusterAgentDelete
Read	Project	Type	ClusterAgent

Cluster Agent Token

Grants the ability to create, read, and revoke cluster agent tokens.

Action	Access	Kind	Name
Create	Project	Mutation	ClusterAgentTokenCreate

Cluster Agent URL Configuration

Grants the ability to create, delete, and read cluster agent URL configurations.

Action	Access	Kind	Name
Create	Project	Mutation	ClusterAgentUrlConfigurationCreate
Delete	Project	Mutation	ClusterAgentUrlConfigurationDelete

Deployment

Grants the ability to approve, create, delete, read, and update deployments.

Action	Access	Kind	Name
Approve	Project	Mutation	ApproveDeployment

Environment

Grants the ability to create, delete, read, stop, and update environments.

Action	Access	Kind	Name
Create	Project	Mutation	EnvironmentCreate
Delete	Project	Mutation	EnvironmentDelete
Read	Project	Type	Environment
Stop	Project	Mutation	EnvironmentStop
Update	Project	Mutation	EnvironmentUpdate

Freeze Period

Grants the ability to create, delete, read, and update freeze periods.

Action	Access	Kind	Name
Read	Project	Type	CiFreezePeriod

Job

Grants the ability to delete, read, run, and update jobs.

Action	Access	Kind	Name
Read	Project	Type	CiJob
Run	Project	Mutation	JobPlay
Run	Project	Mutation	JobRetry
Update	Project	Mutation	JobCancel
Update	Project	Mutation	JobUnschedule

Job Artifact

Grants the ability to delete, read, and update job artifacts.

Action	Access	Kind	Name
Delete	Project	Mutation	ArtifactDestroy
Delete	Project	Mutation	BulkDestroyJobArtifacts
Delete	Project	Mutation	JobArtifactsDestroy
Read	Project	Type	CiJobArtifact

Pipeline

Grants the ability to create, delete, read, and update pipelines.

Action	Access	Kind	Name
Create	Project	Mutation	PipelineCreate
Delete	Project	Mutation	PipelineDestroy
Read	Project	Type	CiStage
Read	Project	Type	Pipeline
Update	Project	Mutation	PipelineCancel
Update	Project	Mutation	PipelineRetry

Pipeline Schedule

Grants the ability to create, delete, read, and update pipeline schedules.

Action	Access	Kind	Name
Create	Project	Mutation	PipelineScheduleCreate
Delete	Project	Mutation	PipelineScheduleDelete
Read	Project	Type	PipelineSchedule
Read	Project	Field	Project.pipelineSchedules
Update	Project	Mutation	PipelineSchedulePlay
Update	Project	Mutation	PipelineScheduleTakeOwnership
Update	Project	Mutation	PipelineScheduleUpdate

Runner

Grants the ability to assign, create, delete, read, and update runners.

Action	Access	Kind	Name
Assign	Project	Mutation	RunnerAssignToProject
Assign	Project	Mutation	RunnerUnassignFromProject
Create	Project	Mutation	RunnerCreate
Create	Group	Mutation	RunnerCreate
Create	Instance	Mutation	RunnerCreate
Delete	Project	Mutation	RunnerDelete
Delete	Group	Mutation	RunnerDelete
Delete	Instance	Mutation	RunnerDelete
Read	Project	Type	CiRunner
Read	Project	Field	Project.runners
Read	Project	Field	Query.runner
Read	Group	Type	CiRunner
Read	Group	Field	Group.runners
Read	Group	Field	Query.runner
Read	Instance	Type	CiRunner
Read	Instance	Field	Query.runner
Read	Instance	Field	Query.runners
Update	Project	Mutation	RunnerCacheClear
Update	Project	Mutation	RunnerUpdate
Update	Group	Mutation	RunnerUpdate
Update	Instance	Mutation	RunnerUpdate

Terraform State

Grants the ability to create, delete, lock, read, and update Terraform state.

Action	Access	Kind	Name
Delete	Project	Mutation	TerraformStateDelete
Lock	Project	Mutation	TerraformStateLock
Lock	Project	Mutation	TerraformStateUnlock
Read	Project	Type	TerraformState
Read	Project	Type	TerraformStateProtectionRule
Read	Project	Type	TerraformStateVersion
Update	Project	Mutation	UpdateTerraformStateProtectionRule

Terraform State Protection Rule

Grants the ability to create, delete, and update Terraform state protection rules.

Action	Access	Kind	Name
Create	Project	Mutation	CreateTerraformStateProtectionRule
Delete	Project	Mutation	DeleteTerraformStateProtectionRule

Trigger

Grants the ability to create, delete, read, and update triggers.

Action	Access	Kind	Name
Create	Project	Mutation	PipelineTriggerCreate
Delete	Project	Mutation	PipelineTriggerDelete
Read	Project	Type	PipelineTrigger
Update	Project	Mutation	PipelineTriggerUpdate

Duo resources

AI catalog item

Grants the ability to restore AI catalog items.

Action	Access	Kind	Name
Restore	Project	Mutation	AiCatalogItemVersionRestore

Model Selection Allowlist

Grants the ability to read and update model selection allowlists.

Action	Access	Kind	Name
Read	Group	Type	AiModelSelectionAllowList
Read	Group	Type	AiModelSelectionAllowListModel
Read	Instance	Type	AiModelSelectionAllowList
Read	Instance	Type	AiModelSelectionAllowListModel
Update	Group	Mutation	AiModelSelectionNamespaceModelAllowlistUpdate
Update	Instance	Mutation	AiFeatureSettingModelAllowlistUpdate

Groups resources

Admin Member Role

Grants the ability to create, delete, read, and update admin member roles.

Action	Access	Kind	Name
Create	Instance	Mutation	MemberRoleAdminCreate
Delete	Instance	Mutation	MemberRoleAdminDelete
Read	Instance	Type	AdminMemberRole
Update	Instance	Mutation	MemberRoleAdminUpdate

Group

Grants the ability to archive, create, delete, read, share, transfer, and update groups.

Action	Access	Kind	Name
Read	Group	Type	Group
Read	Group	Field	Query.group
Update	Group	Mutation	GroupUpdate

LDAP Admin Role Link

Grants the ability to create, delete, and read LDAP admin role links

Action	Access	Kind	Name
Create	Instance	Mutation	AdminRolesLdapSync
Create	Instance	Mutation	LdapAdminRoleLinkCreate
Delete	Instance	Mutation	LdapAdminRoleLinkDestroy
Read	Instance	Type	LdapAdminRoleLink

Member Role

Grants the ability to create, delete, and read member roles.

Action	Access	Kind	Name
Create	Group	Mutation	MemberRoleCreate
Create	Instance	Mutation	MemberRoleCreate

Preference

Grants the ability to read and update preferences.

Action	Access	Kind	Name
Read	User	Type	UserPreferences
Update	User	Mutation	UserPreferencesUpdate

Topic

Grants the ability to create, delete, merge, read, and update topics.

Action	Access	Kind	Name
Read	Instance	Type	Topic

Organizations resources

Organization

Grants the ability to create, delete, read, and update organizations.

Action	Access	Kind	Name
Create	Instance	Mutation	OrganizationCreate
Delete	Instance	Mutation	OrganizationDelete
Read	Instance	Type	Organization
Read	Instance	Type	OrganizationUser
Read	Instance	Field	Query.organization
Read	Instance	Field	Query.organizations
Update	Instance	Mutation	OrganizationUpdate
Update	Instance	Mutation	OrganizationUserUpdate

Packages And Registry resources

Container Registry Protection Tag Rule

Grants the ability to create, delete, read, and update container registry protection tag rules.

Action	Access	Kind	Name
Create	Project	Mutation	createContainerProtectionTagRule
Delete	Project	Mutation	DeleteContainerProtectionTagRule
Update	Project	Mutation	UpdateContainerProtectionTagRule

Container Repository

Grants the ability to delete and read container repositories.

Action	Access	Kind	Name
Delete	Project	Mutation	DestroyContainerRepository
Delete	Project	Mutation	DestroyContainerRepositoryTags

Container Repository Protection Rule

Grants the ability to create, delete, read, and update container repository protection rules.

Action	Access	Kind	Name
Create	Project	Mutation	CreateContainerProtectionRepositoryRule
Delete	Project	Mutation	DeleteContainerProtectionRepositoryRule
Update	Project	Mutation	UpdateContainerProtectionRepositoryRule

Dependency Proxy

Grants the ability to update dependency proxies.

Action	Access	Kind	Name
Update	Group	Mutation	UpdateDependencyProxyImageTtlGroupPolicy
Update	Group	Mutation	UpdateDependencyProxySettings

Package

Grants the ability to create, delete, read, and update packages.

Action	Access	Kind	Name
Create	Project	Mutation	CreatePackagesProtectionRule
Delete	Project	Mutation	DeletePackagesProtectionRule
Delete	Project	Mutation	DestroyPackage
Delete	Project	Mutation	DestroyPackageFile
Delete	Project	Mutation	DestroyPackageFiles
Update	Project	Mutation	UpdatePackagesCleanupPolicy
Update	Project	Mutation	UpdatePackagesProtectionRule

Project Features resources

Badge

Grants the ability to create, delete, read, and update badges.

Action	Access	Kind	Name
Read	Instance	Type	OrganizationUserBadge

Release

Grants the ability to create, delete, read, and update releases.

Action	Access	Kind	Name
Create	Project	Mutation	ReleaseAssetLinkCreate
Create	Project	Mutation	ReleaseCreate
Delete	Project	Mutation	ReleaseDelete
Update	Project	Mutation	ReleaseUpdate

Snippet

Grants the ability to create, delete, read, and update snippets.

Action	Access	Kind	Name
Create	Project	Mutation	CreateSnippet
Create	User	Mutation	CreateSnippet
Delete	Project	Mutation	DestroySnippet
Delete	User	Mutation	DestroySnippet
Update	Project	Mutation	UpdateSnippet
Update	User	Mutation	UpdateSnippet

Project Model Registry And Experiments resources

Model Version

Grants the ability to create, delete, and update model versions.

Action	Access	Kind	Name
Create	Project	Mutation	MlModelVersionCreate
Delete	Project	Mutation	MlModelVersionDelete
Update	Project	Mutation	MlModelVersionEdit

Project Planning resources

Custom Attribute

Grants the ability to delete, read, and update custom attributes.

Action	Access	Kind	Name
Delete	Project	Mutation	DeleteProjectCustomAttribute
Delete	Group	Mutation	DeleteGroupCustomAttribute
Update	Project	Mutation	ProjectCustomAttributeSet
Update	Group	Mutation	SetGroupCustomAttribute

Label

Grants the ability to create, delete, promote, read, and update labels.

Action	Access	Kind	Name
Create	Project	Mutation	LabelCreate
Create	Group	Mutation	LabelCreate
Read	Project	Type	Label
Read	Group	Type	Label
Update	Project	Mutation	LabelUpdate
Update	Group	Mutation	LabelUpdate

Work Item

Grants the ability to create, delete, read, and update work items such as epics and issues.

Action	Access	Kind	Name
Create	Project	Mutation	CreateIssue
Create	Project	Mutation	WorkItemCreate
Create	Project	Field	EpicIssue.createNoteEmail
Create	Project	Field	Issue.createNoteEmail
Create	Project	Field	WorkItem.createNoteEmail
Create	Group	Mutation	IterationCadenceCreate
Create	Group	Mutation	WorkItemCreate
Delete	Project	Mutation	WorkItemDelete
Delete	Group	Mutation	IterationCadenceDestroy
Delete	Group	Mutation	IterationDelete
Delete	Group	Mutation	WorkItemDelete
Read	Project	Type	EpicIssue
Read	Project	Type	Issue
Read	Project	Type	Milestone
Read	Project	Type	WorkItem
Read	Group	Type	Iteration
Read	Group	Type	IterationCadence
Read	Group	Type	Milestone
Read	Group	Type	WorkItemMoveTarget
Update	Project	Mutation	IssueLinkAlerts
Update	Project	Mutation	IssueMove
Update	Project	Mutation	IssueSetAssignees
Update	Project	Mutation	IssueSetConfidential
Update	Project	Mutation	IssueSetCrmContacts
Update	Project	Mutation	IssueSetDueDate
Update	Project	Mutation	IssueSetEpic
Update	Project	Mutation	IssueSetEscalationPolicy
Update	Project	Mutation	IssueSetEscalationStatus
Update	Project	Mutation	IssueSetIteration
Update	Project	Mutation	IssueSetLocked
Update	Project	Mutation	IssueSetSeverity
Update	Project	Mutation	IssueSetWeight
Update	Project	Mutation	IssueUnlinkAlert
Update	Project	Mutation	UpdateIssue
Update	Project	Mutation	WorkItemAddClosingMergeRequest
Update	Project	Mutation	WorkItemConvert
Update	Project	Mutation	WorkItemCreateFromTask
Update	Project	Mutation	WorkItemUpdate
Update	Project	Mutation	workItemsReorder
Update	Group	Mutation	IterationCadenceUpdate
Update	Group	Mutation	UpdateIteration
Update	Group	Mutation	WorkItemAddClosingMergeRequest
Update	Group	Mutation	WorkItemConvert
Update	Group	Mutation	WorkItemCreateFromTask
Update	Group	Mutation	WorkItemUpdate
Update	Group	Mutation	workItemsReorder

Projects resources

Markdown Upload

Grants the ability to create, delete, and read Markdown uploads.

Action	Access	Kind	Name
Create	Project	Mutation	UploadCreate
Create	Group	Mutation	UploadCreate
Delete	Project	Mutation	UploadDelete
Delete	Group	Mutation	UploadDelete

Page

Grants the ability to delete, read, and update pages.

Action	Access	Kind	Name
Delete	Project	Mutation	DeletePagesDeployment
Delete	Project	Mutation	RestorePagesDeployment
Read	Project	Type	PagesDeployment
Update	Project	Mutation	PagesMarkOnboardingComplete
Update	Project	Mutation	SetPagesForceHttps
Update	Project	Mutation	SetPagesUseUniqueDomain

Project

Grants the ability to archive, create, delete, fork, read, share, transfer, and update projects.

Action	Access	Kind	Name
Read	Project	Type	Project
Read	Project	Type	RepositoryLanguage
Read	Project	Field	Query.project
Update	Project	Mutation	ProjectSettingsUpdate
Update	Project	Mutation	StarProject

Repository resources

Approval Rule

Grants the ability to create, delete, read, and update approval rules.

Action	Access	Kind	Name
Create	Project	Mutation	branchRuleApprovalProjectRuleCreate
Delete	Project	Mutation	approvalProjectRuleDelete
Read	Project	Type	ApprovalProjectRule
Read	Project	Type	ApprovalRule
Update	Project	Mutation	MergeRequestUpdateApprovalRule
Update	Project	Mutation	approvalProjectRuleUpdate

Branch

Grants the ability to create, delete, protect, and read branches.

Action	Access	Kind	Name
Create	Project	Mutation	CreateBranch
Delete	Project	Mutation	BranchDelete
Read	Project	Type	Branch

Branch Rule

Grants the ability to create and update branch rules.

Action	Access	Kind	Name
Create	Project	Mutation	BranchRuleCreate
Update	Project	Mutation	BranchRuleUpdate

Code

Grants the ability to download, push, and read code via Git.

Action	Access	Kind	Name
Push	Project	Mutation	CommitCreate
Push	Project	Mutation	ProjectSyncFork
Read	Project	Type	Commit
Read	Project	Type	Repository

Merge Request

Grants the ability to approve, create, delete, merge, read, and update merge requests.

Action	Access	Kind	Name
Read	Project	Type	MergeRequestApprovalState

Push Rule

Grants the ability to create, delete, read, and update push rules.

Action	Access	Kind	Name
Read	Project	Type	PushRules

Repository

Grants the ability to create, delete, read, and update repositories.

Action	Access	Kind	Name
Read	Project	Type	Blob
Read	Project	Type	RepositoryBlob
Read	Project	Type	Tree

Repository Tag

Grants the ability to create, delete, and read repository tags.

Action	Access	Kind	Name
Create	Project	Mutation	TagCreate
Delete	Project	Mutation	TagDelete
Read	Project	Type	Tag

System Access resources

Email

Grants the ability to create, delete, and read emails.

Action	Access	Kind	Name
Read	User	Type	Email

Job Token Scope

Grants the ability to read and update job token scopes.

Action	Access	Kind	Name
Update	Project	Mutation	CiJobTokenScopeUpdatePolicies

Job Token Scope Allowlist

Grants the ability to create, delete, and read job token scope allowlists.

Action	Access	Kind	Name
Create	Project	Mutation	CiJobTokenScopeAddGroupOrProject
Create	Project	Mutation	CiJobTokenScopeAddProject
Delete	Project	Mutation	CiJobTokenScopeRemoveGroup
Delete	Project	Mutation	CiJobTokenScopeRemoveProject

Member

Grants the ability to create, delete, read, and update members.

Action	Access	Kind	Name
Read	Project	Type	ProjectMember
Read	Group	Type	GroupMember
Update	Project	Mutation	ProjectMemberBulkUpdate
Update	Group	Mutation	GroupMemberBulkUpdate

Metadata

Grants the ability to read instance metadata.

Action	Access	Kind	Name
Read	Instance	Type	GitlabInstanceFeatureFlag
Read	Instance	Type	Kas
Read	Instance	Type	Metadata

Personal Access Token

Grants the ability to create, read, revoke, and rotate personal access tokens.

Action	Access	Kind	Name
Create	User	Mutation	PersonalAccessTokenCreate
Revoke	User	Mutation	PersonalAccessTokenRevoke
Rotate	User	Mutation	PersonalAccessTokenRotate

User

Grants the ability to activate, approve, ban, block, create, deactivate, delete, disable two factor, follow, read, reject, unban, unblock, unfollow, and update users.

Action	Access	Kind	Name
Read	User	Type	AddOnUser
Read	User	Type	AutocompletedUser
Read	User	Type	CurrentUser
Read	User	Type	MergeRequestAssignee
Read	User	Type	MergeRequestAuthor
Read	User	Type	MergeRequestParticipant
Read	User	Type	MergeRequestReviewer
Read	User	Type	UserCore