Back to Gitlabhq

Fine-grained permissions for Git and other operations

doc/auth/tokens/fine_grained_access_tokens_other.md

19.2.05.2 KB
Original Source

{{< details >}}

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

{{< /details >}}

{{< history >}}

{{< /history >}}

A fine-grained personal access token can access only the resources and permissions you grant it. To use one with Git and other operations, create a token and define its scope. For more information, see fine-grained personal access tokens.

In the following tables:

  • Resource and Permission are the resource and permission to select when you create the token.
  • Access is the boundary that must contain the target resource. A token scoped to a group also authorizes operations on the projects in that group.

Git operations

A fine-grained personal access token used as the password for Git over HTTPS must have the following permissions:

OperationResourcePermissionAccess
Clone or pull a project repositoryCodeDownloadProject
Push to a project repositoryCodePushProject
Clone or pull a wikiWikiReadProject, Group <sup>1</sup>
Push to a wikiWikiCreateProject, Group <sup>1</sup>
Clone or pull a snippetSnippetReadProject, User <sup>2</sup>
Push to a snippetSnippetUpdateProject, User <sup>2</sup>
Download Git LFS objectsCodeDownloadProject
Upload Git LFS objectsCodePushProject

Footnotes:

  1. Project wikis use the project boundary and group wikis use the group boundary.
  2. Project snippets use the project boundary and personal snippets use the user boundary.

Container registry

A fine-grained personal access token used to sign in to the container registry must have the following permissions:

OperationResourcePermissionAccess
Pull container imagesContainer RepositoryReadProject
Delete container images and tagsContainer RepositoryDeleteProject

[!note] You cannot use fine-grained personal access tokens to push container images.

Dependency proxy

A fine-grained personal access token used to sign in to the dependency proxy must have the following permissions:

OperationResourcePermissionAccess
Pull container images through the dependency proxyDependency ProxyReadGroup

Archive and release asset downloads

OperationResourcePermissionAccess
Download a repository archiveCodeDownloadProject
Download a release asset from a direct linkReleaseReadProject

RSS and calendar feeds

A fine-grained personal access token used to authenticate RSS or iCalendar feed requests must have the following permissions:

FeedResourcePermissionAccess
User activityActivityReadUser
Project activityEventReadProject
Group activityEventReadGroup
Project commitsCodeReadProject
Project tagsCodeReadProject
Issues and work items, including calendarsWork ItemReadProject, Group, User
Merge requestsMerge RequestReadProject, Group
Your projectsProjectReadUser
Personal access token expiration calendarPersonal Access TokenReadUser

Other operations

OperationResourcePermissionAccess
Forward editor extension telemetry eventsEditor TelemetryCreateUser
Receive live comment updates over WebSocketWork ItemReadProject, Group