Fine-grained permissions for personal access tokens in the GraphQL API
- Tier: Free, Premium, Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
- Status: Beta
Fine-grained personal access tokens scope access to specific permissions in the GraphQL API. To create a fine-grained personal access token, see Fine-grained permissions for personal access tokens.
Available fine-grained permissions
Fine-grained personal access tokens can access the following GraphQL types, mutations, and fields:
Application Security resources
Dependency
Grants the ability to read dependencies.
| Action | Access | Kind | Name |
|---|---|---|---|
| Read | Project | Type | DependencyLocation |
Pipeline Execution Project Schedule
Grants the ability to read pipeline execution project schedules.
| Action | Access | Kind | Name |
|---|---|---|---|
| Read | Project | Type | PipelineExecutionProjectSchedule |
Vulnerability
Grants the ability to create, read, and update vulnerabilities.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | VulnerabilityCreate |
| Read | Project | Type | CountableVulnerability |
| Read | Project | Type | Vulnerability |
| Update | Project | Mutation | VulnerabilityConfirm |
| Update | Project | Mutation | VulnerabilityDismiss |
| Update | Project | Mutation | VulnerabilityResolve |
| Update | Project | Mutation | VulnerabilityRevertToDetected |
CI/CD resources
CI Config
Grants the ability to read and validate CI/CD configuration.
| Action | Access | Kind | Name |
|---|---|---|---|
| Validate | Project | Mutation | CiLint |
CI/CD Setting
Grants the ability to update CI/CD settings.
| Action | Access | Kind | Name |
|---|---|---|---|
| Update | Project | Mutation | ProjectCiCdSettingsUpdate |
| Update | Group | Mutation | SafeDisablePipelineVariables |
Catalog Resource
Grants the ability to create and delete CI catalog resources.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | CatalogResourcesCreate |
| Delete | Project | Mutation | CatalogResourcesDestroy |
Cd Application
Grants the ability to create and read cd applications.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Group | Mutation | CdApplicationCreate |
| Create | Instance | Mutation | CdApplicationCreate |
| Read | Group | Type | CdApplication |
| Read | Instance | Type | CdApplication |
Cd Environment
Grants the ability to create and read cd environments.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Group | Mutation | CdEnvironmentCreate |
| Create | Instance | Mutation | CdEnvironmentCreate |
| Read | Group | Type | CdEnvironment |
| Read | Instance | Type | CdEnvironment |
Cluster Agent
Grants the ability to create, delete, and read cluster agents.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | CreateClusterAgent |
| Delete | Project | Mutation | ClusterAgentDelete |
| Read | Project | Type | ClusterAgent |
Cluster Agent Token
Grants the ability to create, read, and revoke cluster agent tokens.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | ClusterAgentTokenCreate |
Cluster Agent URL Configuration
Grants the ability to create, delete, and read cluster agent URL configurations.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | ClusterAgentUrlConfigurationCreate |
| Delete | Project | Mutation | ClusterAgentUrlConfigurationDelete |
Deployment
Grants the ability to approve, create, delete, read, and update deployments.
| Action | Access | Kind | Name |
|---|---|---|---|
| Approve | Project | Mutation | ApproveDeployment |
Environment
Grants the ability to create, delete, read, stop, and update environments.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | EnvironmentCreate |
| Delete | Project | Mutation | EnvironmentDelete |
| Read | Project | Type | Environment |
| Stop | Project | Mutation | EnvironmentStop |
| Update | Project | Mutation | EnvironmentUpdate |
Freeze Period
Grants the ability to create, delete, read, and update freeze periods.
| Action | Access | Kind | Name |
|---|---|---|---|
| Read | Project | Type | CiFreezePeriod |
Job
Grants the ability to delete, read, run, and update jobs.
| Action | Access | Kind | Name |
|---|---|---|---|
| Read | Project | Type | CiJob |
| Run | Project | Mutation | JobPlay |
| Run | Project | Mutation | JobRetry |
| Update | Project | Mutation | JobCancel |
| Update | Project | Mutation | JobUnschedule |
Job Artifact
Grants the ability to delete, read, and update job artifacts.
| Action | Access | Kind | Name |
|---|---|---|---|
| Delete | Project | Mutation | ArtifactDestroy |
| Delete | Project | Mutation | BulkDestroyJobArtifacts |
| Delete | Project | Mutation | JobArtifactsDestroy |
| Read | Project | Type | CiJobArtifact |
Pipeline
Grants the ability to create, delete, read, and update pipelines.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | PipelineCreate |
| Delete | Project | Mutation | PipelineDestroy |
| Read | Project | Type | CiStage |
| Read | Project | Type | Pipeline |
| Update | Project | Mutation | PipelineCancel |
| Update | Project | Mutation | PipelineRetry |
Pipeline Schedule
Grants the ability to create, delete, read, and update pipeline schedules.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | PipelineScheduleCreate |
| Delete | Project | Mutation | PipelineScheduleDelete |
| Read | Project | Type | PipelineSchedule |
| Read | Project | Field | Project.pipelineSchedules |
| Update | Project | Mutation | PipelineSchedulePlay |
| Update | Project | Mutation | PipelineScheduleTakeOwnership |
| Update | Project | Mutation | PipelineScheduleUpdate |
Runner
Grants the ability to assign, create, delete, read, and update runners.
| Action | Access | Kind | Name |
|---|---|---|---|
| Assign | Project | Mutation | RunnerAssignToProject |
| Assign | Project | Mutation | RunnerUnassignFromProject |
| Create | Project | Mutation | RunnerCreate |
| Create | Group | Mutation | RunnerCreate |
| Create | Instance | Mutation | RunnerCreate |
| Delete | Project | Mutation | RunnerDelete |
| Delete | Group | Mutation | RunnerDelete |
| Delete | Instance | Mutation | RunnerDelete |
| Read | Project | Type | CiRunner |
| Read | Project | Field | Project.runners |
| Read | Project | Field | Query.runner |
| Read | Group | Type | CiRunner |
| Read | Group | Field | Group.runners |
| Read | Group | Field | Query.runner |
| Read | Instance | Type | CiRunner |
| Read | Instance | Field | Query.runner |
| Read | Instance | Field | Query.runners |
| Update | Project | Mutation | RunnerCacheClear |
| Update | Project | Mutation | RunnerUpdate |
| Update | Group | Mutation | RunnerUpdate |
| Update | Instance | Mutation | RunnerUpdate |
Terraform State
Grants the ability to create, delete, lock, read, and update Terraform state.
| Action | Access | Kind | Name |
|---|---|---|---|
| Delete | Project | Mutation | TerraformStateDelete |
| Lock | Project | Mutation | TerraformStateLock |
| Lock | Project | Mutation | TerraformStateUnlock |
| Read | Project | Type | TerraformState |
| Read | Project | Type | TerraformStateProtectionRule |
| Read | Project | Type | TerraformStateVersion |
| Update | Project | Mutation | UpdateTerraformStateProtectionRule |
Terraform State Protection Rule
Grants the ability to create, delete, and update Terraform state protection rules.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | CreateTerraformStateProtectionRule |
| Delete | Project | Mutation | DeleteTerraformStateProtectionRule |
Trigger
Grants the ability to create, delete, read, and update triggers.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | PipelineTriggerCreate |
| Delete | Project | Mutation | PipelineTriggerDelete |
| Read | Project | Type | PipelineTrigger |
| Update | Project | Mutation | PipelineTriggerUpdate |
Duo resources
AI catalog item
Grants the ability to restore AI catalog items.
| Action | Access | Kind | Name |
|---|---|---|---|
| Restore | Project | Mutation | AiCatalogItemVersionRestore |
Model Selection Allowlist
Grants the ability to read and update model selection allowlists.
| Action | Access | Kind | Name |
|---|---|---|---|
| Read | Group | Type | AiModelSelectionAllowList |
| Read | Group | Type | AiModelSelectionAllowListModel |
| Read | Instance | Type | AiModelSelectionAllowList |
| Read | Instance | Type | AiModelSelectionAllowListModel |
| Update | Group | Mutation | AiModelSelectionNamespaceModelAllowlistUpdate |
| Update | Instance | Mutation | AiFeatureSettingModelAllowlistUpdate |
Groups resources
Admin Member Role
Grants the ability to create, delete, read, and update admin member roles.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Instance | Mutation | MemberRoleAdminCreate |
| Delete | Instance | Mutation | MemberRoleAdminDelete |
| Read | Instance | Type | AdminMemberRole |
| Update | Instance | Mutation | MemberRoleAdminUpdate |
Group
Grants the ability to archive, create, delete, read, share, transfer, and update groups.
| Action | Access | Kind | Name |
|---|---|---|---|
| Read | Group | Type | Group |
| Read | Group | Field | Query.group |
| Update | Group | Mutation | GroupUpdate |
LDAP Admin Role Link
Grants the ability to create, delete, and read LDAP admin role links
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Instance | Mutation | AdminRolesLdapSync |
| Create | Instance | Mutation | LdapAdminRoleLinkCreate |
| Delete | Instance | Mutation | LdapAdminRoleLinkDestroy |
| Read | Instance | Type | LdapAdminRoleLink |
Member Role
Grants the ability to create, delete, and read member roles.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Group | Mutation | MemberRoleCreate |
| Create | Instance | Mutation | MemberRoleCreate |
Preference
Grants the ability to read and update preferences.
| Action | Access | Kind | Name |
|---|---|---|---|
| Read | User | Type | UserPreferences |
| Update | User | Mutation | UserPreferencesUpdate |
Topic
Grants the ability to create, delete, merge, read, and update topics.
| Action | Access | Kind | Name |
|---|---|---|---|
| Read | Instance | Type | Topic |
Organizations resources
Organization
Grants the ability to create, delete, read, and update organizations.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Instance | Mutation | OrganizationCreate |
| Delete | Instance | Mutation | OrganizationDelete |
| Read | Instance | Type | Organization |
| Read | Instance | Type | OrganizationUser |
| Read | Instance | Field | Query.organization |
| Read | Instance | Field | Query.organizations |
| Update | Instance | Mutation | OrganizationUpdate |
| Update | Instance | Mutation | OrganizationUserUpdate |
Packages And Registry resources
Container Registry Protection Tag Rule
Grants the ability to create, delete, read, and update container registry protection tag rules.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | createContainerProtectionTagRule |
| Delete | Project | Mutation | DeleteContainerProtectionTagRule |
| Update | Project | Mutation | UpdateContainerProtectionTagRule |
Container Repository
Grants the ability to delete and read container repositories.
| Action | Access | Kind | Name |
|---|---|---|---|
| Delete | Project | Mutation | DestroyContainerRepository |
| Delete | Project | Mutation | DestroyContainerRepositoryTags |
Container Repository Protection Rule
Grants the ability to create, delete, read, and update container repository protection rules.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | CreateContainerProtectionRepositoryRule |
| Delete | Project | Mutation | DeleteContainerProtectionRepositoryRule |
| Update | Project | Mutation | UpdateContainerProtectionRepositoryRule |
Dependency Proxy
Grants the ability to update dependency proxies.
| Action | Access | Kind | Name |
|---|---|---|---|
| Update | Group | Mutation | UpdateDependencyProxyImageTtlGroupPolicy |
| Update | Group | Mutation | UpdateDependencyProxySettings |
Package
Grants the ability to create, delete, read, and update packages.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | CreatePackagesProtectionRule |
| Delete | Project | Mutation | DeletePackagesProtectionRule |
| Delete | Project | Mutation | DestroyPackage |
| Delete | Project | Mutation | DestroyPackageFile |
| Delete | Project | Mutation | DestroyPackageFiles |
| Update | Project | Mutation | UpdatePackagesCleanupPolicy |
| Update | Project | Mutation | UpdatePackagesProtectionRule |
Project Features resources
Badge
Grants the ability to create, delete, read, and update badges.
| Action | Access | Kind | Name |
|---|---|---|---|
| Read | Instance | Type | OrganizationUserBadge |
Release
Grants the ability to create, delete, read, and update releases.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | ReleaseAssetLinkCreate |
| Create | Project | Mutation | ReleaseCreate |
| Delete | Project | Mutation | ReleaseDelete |
| Update | Project | Mutation | ReleaseUpdate |
Snippet
Grants the ability to create, delete, read, and update snippets.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | CreateSnippet |
| Create | User | Mutation | CreateSnippet |
| Delete | Project | Mutation | DestroySnippet |
| Delete | User | Mutation | DestroySnippet |
| Update | Project | Mutation | UpdateSnippet |
| Update | User | Mutation | UpdateSnippet |
Project Model Registry And Experiments resources
Model Version
Grants the ability to create, delete, and update model versions.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | MlModelVersionCreate |
| Delete | Project | Mutation | MlModelVersionDelete |
| Update | Project | Mutation | MlModelVersionEdit |
Project Planning resources
Custom Attribute
Grants the ability to delete, read, and update custom attributes.
| Action | Access | Kind | Name |
|---|---|---|---|
| Delete | Project | Mutation | DeleteProjectCustomAttribute |
| Delete | Group | Mutation | DeleteGroupCustomAttribute |
| Update | Project | Mutation | ProjectCustomAttributeSet |
| Update | Group | Mutation | SetGroupCustomAttribute |
Label
Grants the ability to create, delete, promote, read, and update labels.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | LabelCreate |
| Create | Group | Mutation | LabelCreate |
| Read | Project | Type | Label |
| Read | Group | Type | Label |
| Update | Project | Mutation | LabelUpdate |
| Update | Group | Mutation | LabelUpdate |
Work Item
Grants the ability to create, delete, read, and update work items such as epics and issues.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | CreateIssue |
| Create | Project | Mutation | WorkItemCreate |
| Create | Project | Field | EpicIssue.createNoteEmail |
| Create | Project | Field | Issue.createNoteEmail |
| Create | Project | Field | WorkItem.createNoteEmail |
| Create | Group | Mutation | IterationCadenceCreate |
| Create | Group | Mutation | WorkItemCreate |
| Delete | Project | Mutation | WorkItemDelete |
| Delete | Group | Mutation | IterationCadenceDestroy |
| Delete | Group | Mutation | IterationDelete |
| Delete | Group | Mutation | WorkItemDelete |
| Read | Project | Type | EpicIssue |
| Read | Project | Type | Issue |
| Read | Project | Type | Milestone |
| Read | Project | Type | WorkItem |
| Read | Group | Type | Iteration |
| Read | Group | Type | IterationCadence |
| Read | Group | Type | Milestone |
| Read | Group | Type | WorkItemMoveTarget |
| Update | Project | Mutation | IssueLinkAlerts |
| Update | Project | Mutation | IssueMove |
| Update | Project | Mutation | IssueSetAssignees |
| Update | Project | Mutation | IssueSetConfidential |
| Update | Project | Mutation | IssueSetCrmContacts |
| Update | Project | Mutation | IssueSetDueDate |
| Update | Project | Mutation | IssueSetEpic |
| Update | Project | Mutation | IssueSetEscalationPolicy |
| Update | Project | Mutation | IssueSetEscalationStatus |
| Update | Project | Mutation | IssueSetIteration |
| Update | Project | Mutation | IssueSetLocked |
| Update | Project | Mutation | IssueSetSeverity |
| Update | Project | Mutation | IssueSetWeight |
| Update | Project | Mutation | IssueUnlinkAlert |
| Update | Project | Mutation | UpdateIssue |
| Update | Project | Mutation | WorkItemAddClosingMergeRequest |
| Update | Project | Mutation | WorkItemConvert |
| Update | Project | Mutation | WorkItemCreateFromTask |
| Update | Project | Mutation | WorkItemUpdate |
| Update | Project | Mutation | workItemsReorder |
| Update | Group | Mutation | IterationCadenceUpdate |
| Update | Group | Mutation | UpdateIteration |
| Update | Group | Mutation | WorkItemAddClosingMergeRequest |
| Update | Group | Mutation | WorkItemConvert |
| Update | Group | Mutation | WorkItemCreateFromTask |
| Update | Group | Mutation | WorkItemUpdate |
| Update | Group | Mutation | workItemsReorder |
Projects resources
Markdown Upload
Grants the ability to create, delete, and read Markdown uploads.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | UploadCreate |
| Create | Group | Mutation | UploadCreate |
| Delete | Project | Mutation | UploadDelete |
| Delete | Group | Mutation | UploadDelete |
Page
Grants the ability to delete, read, and update pages.
| Action | Access | Kind | Name |
|---|---|---|---|
| Delete | Project | Mutation | DeletePagesDeployment |
| Delete | Project | Mutation | RestorePagesDeployment |
| Read | Project | Type | PagesDeployment |
| Update | Project | Mutation | PagesMarkOnboardingComplete |
| Update | Project | Mutation | SetPagesForceHttps |
| Update | Project | Mutation | SetPagesUseUniqueDomain |
Project
Grants the ability to archive, create, delete, fork, read, share, transfer, and update projects.
| Action | Access | Kind | Name |
|---|---|---|---|
| Read | Project | Type | Project |
| Read | Project | Type | RepositoryLanguage |
| Read | Project | Field | Query.project |
| Update | Project | Mutation | ProjectSettingsUpdate |
| Update | Project | Mutation | StarProject |
Repository resources
Approval Rule
Grants the ability to create, delete, read, and update approval rules.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | branchRuleApprovalProjectRuleCreate |
| Delete | Project | Mutation | approvalProjectRuleDelete |
| Read | Project | Type | ApprovalProjectRule |
| Read | Project | Type | ApprovalRule |
| Update | Project | Mutation | MergeRequestUpdateApprovalRule |
| Update | Project | Mutation | approvalProjectRuleUpdate |
Branch
Grants the ability to create, delete, protect, and read branches.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | CreateBranch |
| Delete | Project | Mutation | BranchDelete |
| Read | Project | Type | Branch |
Branch Rule
Grants the ability to create and update branch rules.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | BranchRuleCreate |
| Update | Project | Mutation | BranchRuleUpdate |
Code
Grants the ability to download, push, and read code via Git.
| Action | Access | Kind | Name |
|---|---|---|---|
| Push | Project | Mutation | CommitCreate |
| Push | Project | Mutation | ProjectSyncFork |
| Read | Project | Type | Commit |
| Read | Project | Type | Repository |
Merge Request
Grants the ability to approve, create, delete, merge, read, and update merge requests.
| Action | Access | Kind | Name |
|---|---|---|---|
| Read | Project | Type | MergeRequestApprovalState |
Push Rule
Grants the ability to create, delete, read, and update push rules.
| Action | Access | Kind | Name |
|---|---|---|---|
| Read | Project | Type | PushRules |
Repository
Grants the ability to create, delete, read, and update repositories.
| Action | Access | Kind | Name |
|---|---|---|---|
| Read | Project | Type | Blob |
| Read | Project | Type | RepositoryBlob |
| Read | Project | Type | Tree |
Repository Tag
Grants the ability to create, delete, and read repository tags.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | TagCreate |
| Delete | Project | Mutation | TagDelete |
| Read | Project | Type | Tag |
System Access resources
Grants the ability to create, delete, and read emails.
| Action | Access | Kind | Name |
|---|---|---|---|
| Read | User | Type | Email |
Job Token Scope
Grants the ability to read and update job token scopes.
| Action | Access | Kind | Name |
|---|---|---|---|
| Update | Project | Mutation | CiJobTokenScopeUpdatePolicies |
Job Token Scope Allowlist
Grants the ability to create, delete, and read job token scope allowlists.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | Project | Mutation | CiJobTokenScopeAddGroupOrProject |
| Create | Project | Mutation | CiJobTokenScopeAddProject |
| Delete | Project | Mutation | CiJobTokenScopeRemoveGroup |
| Delete | Project | Mutation | CiJobTokenScopeRemoveProject |
Member
Grants the ability to create, delete, read, and update members.
| Action | Access | Kind | Name |
|---|---|---|---|
| Read | Project | Type | ProjectMember |
| Read | Group | Type | GroupMember |
| Update | Project | Mutation | ProjectMemberBulkUpdate |
| Update | Group | Mutation | GroupMemberBulkUpdate |
Metadata
Grants the ability to read instance metadata.
| Action | Access | Kind | Name |
|---|---|---|---|
| Read | Instance | Type | GitlabInstanceFeatureFlag |
| Read | Instance | Type | Kas |
| Read | Instance | Type | Metadata |
Personal Access Token
Grants the ability to create, read, revoke, and rotate personal access tokens.
| Action | Access | Kind | Name |
|---|---|---|---|
| Create | User | Mutation | PersonalAccessTokenCreate |
| Revoke | User | Mutation | PersonalAccessTokenRevoke |
| Rotate | User | Mutation | PersonalAccessTokenRotate |
User
Grants the ability to activate, approve, ban, block, create, deactivate, delete, disable two factor, follow, read, reject, unban, unblock, unfollow, and update users.
| Action | Access | Kind | Name |
|---|---|---|---|
| Read | User | Type | AddOnUser |
| Read | User | Type | AutocompletedUser |
| Read | User | Type | CurrentUser |
| Read | User | Type | MergeRequestAssignee |
| Read | User | Type | MergeRequestAuthor |
| Read | User | Type | MergeRequestParticipant |
| Read | User | Type | MergeRequestReviewer |
| Read | User | Type | UserCore |