diff options
Diffstat (limited to 'doc/development/permissions/custom_roles.md')
-rw-r--r-- | doc/development/permissions/custom_roles.md | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/doc/development/permissions/custom_roles.md b/doc/development/permissions/custom_roles.md index 73a8c920894..9aba4035ec9 100644 --- a/doc/development/permissions/custom_roles.md +++ b/doc/development/permissions/custom_roles.md @@ -8,6 +8,20 @@ info: To determine the technical writer assigned to the Stage/Group associated w Users can create custom roles and define those roles by assigning specific abilities. For example, a user could create an "Engineer" role with `read code` and `admin merge requests` abilities, but without abilities like `admin issues`. +In this context: + +- "Ability" is an action a user can do. +- "Permission" defines the policy classes. + +## Custom roles vs static roles + +In GitLab 15.9 and earlier, GitLab only had [static roles](predefined_roles.md) as a permission system. In this system, there are a few predefined roles that are statically assigned to certain abilities. These static roles are not customizable by customers. + +With custom roles, the customers can decide which abilities they want to assign to certain user groups. For example: + +- In the static role system, reading of vulnerabilities is limited to a Developer role. +- In the custom role system, a customer can assign this ability to a new custom role based on the Reporter role. + ## Technical overview Individual custom roles are stored in the `member_roles` table (`MemberRole` model) and can be defined only for top-level groups. This table includes individual abilities and a `base_access_level` value. This value defines the minimum access level of: |