doc/auth/tokens/fine_grained_access_tokens.md
{{< details >}}
{{< /details >}}
{{< history >}}
{{< /history >}}
Fine-grained personal access tokens are scoped to only access the specific resources and permissions you define. When creating the token, you define the following attributes:
Group and project, User, and Global).To create a fine-grained personal access token:
A personal access token is displayed. Save the personal access token somewhere safe. After you leave or refresh the page, you cannot view it again.
Administrators can create a fine-grained personal access token that can impersonate other users
with the sudo parameter on the REST API.
Only an administrator can create a token with the sudo capability. A non-administrator that tries to create one receives an error.
A fine-grained token continues to enforce its own permissions while impersonating. The token can perform an action only when both of the following are true:
This behavior differs from a legacy personal access token with the sudo scope, which can perform
any action as the impersonated user.
[!warning] A token with the sudo capability can act as any user. Restrict its permissions and boundaries to the minimum required, and store it securely.
The permissions a fine-grained personal access token can use depend on the endpoint the token calls:
{{< history >}}
granular_personal_access_tokens_enforcement and granular_personal_access_tokens_enforcement_saas. Disabled by default.{{< /history >}}
You can require your users to adopt fine-grained personal access tokens after a specified enforcement date. After this date, any existing legacy personal access tokens remain listed in user profiles, but cannot be used to access resources.
Enforcement works differently on GitLab.com and GitLab Self-Managed:
Prerequisites:
On GitLab.com, enforcement applies to the group and its subgroups and projects, and blocks legacy personal access tokens from accessing those resources after the enforcement date. Users can still create legacy tokens, but those tokens cannot access the enforced resources for the group.
This setting is not available on GitLab Self-Managed.
You can enforce fine-grained tokens only on a top-level group.
To enforce fine-grained personal access tokens for a top-level group:
After the enforcement date, users receive an error when they attempt to use a legacy token to access resources in the top-level group, any subgroups, or projects. The error lists the resource boundary and permissions a fine-grained token needs. For example:
Access denied: This operation requires a fine-grained personal access token with the following project permissions: [Project: Read].
Prerequisites:
On GitLab Self-Managed, enforcement applies to the entire instance, and blocks users from creating or rotating legacy personal access tokens after the enforcement date. Users can create fine-grained tokens only. Existing legacy tokens continue to work until they expire.
To enforce fine-grained personal access tokens for the instance:
After the enforcement date, users receive an error when they attempt to create or rotate a legacy token.