Fine-grained permissions for Git and other operations
- Tier: Free, Premium, Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
A fine-grained personal access token can access only the resources and permissions you grant it. To use one with Git and other operations, create a token and define its scope. For more information, see fine-grained personal access tokens.
In the following tables:
- Resource and Permission are the resource and permission to select when you create the token.
- Access is the boundary that must contain the target resource. A token scoped to a group also authorizes operations on the projects in that group.
Git operations
A fine-grained personal access token used as the password for Git over HTTPS must have the following permissions:
| Operation | Resource | Permission | Access |
|---|---|---|---|
| Clone or pull a project repository | Code | Download | Project |
| Push to a project repository | Code | Push | Project |
| Clone or pull a wiki | Wiki | Read | Project, Group 1 |
| Push to a wiki | Wiki | Create | Project, Group 1 |
| Clone or pull a snippet | Snippet | Read | Project, User 2 |
| Push to a snippet | Snippet | Update | Project, User 2 |
| Download Git LFS objects | Code | Download | Project |
| Upload Git LFS objects | Code | Push | Project |
Footnotes:
- Project wikis use the project boundary and group wikis use the group boundary.
- Project snippets use the project boundary and personal snippets use the user boundary.
Container registry
A fine-grained personal access token used to sign in to the container registry must have the following permissions:
| Operation | Resource | Permission | Access |
|---|---|---|---|
| Pull container images | Container Repository | Read | Project |
| Delete container images and tags | Container Repository | Delete | Project |
You cannot use fine-grained personal access tokens to push container images.
Dependency proxy
A fine-grained personal access token used to sign in to the dependency proxy must have the following permissions:
| Operation | Resource | Permission | Access |
|---|---|---|---|
| Pull container images through the dependency proxy | Dependency Proxy | Read | Group |
Archive and release asset downloads
| Operation | Resource | Permission | Access |
|---|---|---|---|
| Download a repository archive | Code | Download | Project |
| Download a release asset from a direct link | Release | Read | Project |
RSS and calendar feeds
A fine-grained personal access token used to authenticate RSS or iCalendar feed requests must have the following permissions:
| Feed | Resource | Permission | Access |
|---|---|---|---|
| User activity | Activity | Read | User |
| Project activity | Event | Read | Project |
| Group activity | Event | Read | Group |
| Project commits | Code | Read | Project |
| Project tags | Code | Read | Project |
| Issues and work items, including calendars | Work Item | Read | Project, Group, User |
| Merge requests | Merge Request | Read | Project, Group |
| Your projects | Project | Read | User |
| Personal access token expiration calendar | Personal Access Token | Read | User |
Other operations
| Operation | Resource | Permission | Access |
|---|---|---|---|
| Forward editor extension telemetry events | Editor Telemetry | Create | User |
| Receive live comment updates over WebSocket | Work Item | Read | Project, Group |