Fine-grained permissions for Git and other operations

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

A fine-grained personal access token can access only the resources and permissions you grant it. To use one with Git and other operations, create a token and define its scope. For more information, see fine-grained personal access tokens.

In the following tables:

  • Resource and Permission are the resource and permission to select when you create the token.
  • Access is the boundary that must contain the target resource. A token scoped to a group also authorizes operations on the projects in that group.

Git operations

A fine-grained personal access token used as the password for Git over HTTPS must have the following permissions:

Operation Resource Permission Access
Clone or pull a project repository Code Download Project
Push to a project repository Code Push Project
Clone or pull a wiki Wiki Read Project, Group 1
Push to a wiki Wiki Create Project, Group 1
Clone or pull a snippet Snippet Read Project, User 2
Push to a snippet Snippet Update Project, User 2
Download Git LFS objects Code Download Project
Upload Git LFS objects Code Push Project

Footnotes:

  1. Project wikis use the project boundary and group wikis use the group boundary.
  2. Project snippets use the project boundary and personal snippets use the user boundary.

Container registry

A fine-grained personal access token used to sign in to the container registry must have the following permissions:

Operation Resource Permission Access
Pull container images Container Repository Read Project
Delete container images and tags Container Repository Delete Project

You cannot use fine-grained personal access tokens to push container images.

Dependency proxy

A fine-grained personal access token used to sign in to the dependency proxy must have the following permissions:

Operation Resource Permission Access
Pull container images through the dependency proxy Dependency Proxy Read Group

Archive and release asset downloads

Operation Resource Permission Access
Download a repository archive Code Download Project
Download a release asset from a direct link Release Read Project

RSS and calendar feeds

A fine-grained personal access token used to authenticate RSS or iCalendar feed requests must have the following permissions:

Feed Resource Permission Access
User activity Activity Read User
Project activity Event Read Project
Group activity Event Read Group
Project commits Code Read Project
Project tags Code Read Project
Issues and work items, including calendars Work Item Read Project, Group, User
Merge requests Merge Request Read Project, Group
Your projects Project Read User
Personal access token expiration calendar Personal Access Token Read User

Other operations

Operation Resource Permission Access
Forward editor extension telemetry events Editor Telemetry Create User
Receive live comment updates over WebSocket Work Item Read Project, Group