Refine Owner role notes

236f70cc · Evan Read · ed726688 · 236f70cc · 236f70cc · 236f70cc
--- a/doc/api/group_access_tokens.md
+++ b/doc/api/group_access_tokens.md
@@ -83,7 +83,8 @@ curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/a

 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77236) in GitLab 14.7.

-Create a [group access token](../user/group/settings/group_access_tokens.md).
+Create a [group access token](../user/group/settings/group_access_tokens.md). You must have the Owner role for the
+group to create group access tokens.

 ```plaintext
 POST groups/:id/access_tokens
@@ -94,7 +95,7 @@ POST groups/:id/access_tokens
 | `id` | integer or string | yes | ID or [URL-encoded path of the group](index.md#namespaced-path-encoding) |
 | `name` | String | yes | Name of the group access token  |
 | `scopes` | `Array[String]` | yes | [List of scopes](../user/group/settings/group_access_tokens.md#scopes-for-a-group-access-token) |
-| `access_level` | Integer | no | A valid access level. Default value is 40 (Maintainer). Other allowed values are 10 (Guest), 20 (Reporter), and 30 (Developer). |
+| `access_level` | Integer | no | Access level. Valid values are `10` (Guest), `20` (Reporter), `30` (Developer), `40` (Maintainer), and `50` (Owner). |
 | `expires_at` | Date | no | Token expires at midnight UTC on that date |

 ```shell

--- a/doc/api/project_access_tokens.md
+++ b/doc/api/project_access_tokens.md
@@ -87,19 +87,25 @@ curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/a

 Create a [project access token](../user/project/settings/project_access_tokens.md).

-**NOTE:** Project Maintainers cannot create project access tokens with Owner (50) access level.
+When you create a project access token, the maximum role (access level) you set depends on if you have the Owner or Maintainer role for the group. For example, the maximum
+role that can be set is:
+
+- Owner (`50`), if you have the Owner role for the project.
+- Maintainer (`40`), if you have the Maintainer role on the project.
+
+In GitLab 14.8 and earlier, project access tokens have a maximum role of Maintainer.

 ```plaintext
 POST projects/:id/access_tokens
 ```

-| Attribute | Type    | required | Description         |
-|-----------|---------|----------|---------------------|
-| `id` | integer or string | yes | ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) |
-| `name` | String | yes | Name of the project access token  |
-| `scopes` | `Array[String]` | yes | [List of scopes](../user/project/settings/project_access_tokens.md#scopes-for-a-project-access-token) |
-| `access_level` | Integer | no | A valid access level. Default value is 40 (Maintainer). Other allowed values are 10 (Guest), 20 (Reporter), and 30 (Developer). |
-| `expires_at` | Date | no | Token expires at midnight UTC on that date |
+| Attribute | Type    | required | Description                                                                                                                           |
+|-----------|---------|----------|---------------------------------------------------------------------------------------------------------------------------------------|
+| `id` | integer or string | yes | ID or [URL-encoded path of the project](index.md#namespaced-path-encoding)                                                            |
+| `name` | String | yes | Name of the project access token                                                                                                               |
+| `scopes` | `Array[String]` | yes | [List of scopes](../user/project/settings/project_access_tokens.md#scopes-for-a-project-access-token)                               |
+| `access_level` | Integer | no | Access level. Valid values are `10` (Guest), `20` (Reporter), `30` (Developer), `40` (Maintainer), and `50` (Owner). Defaults to `40`. |
+| `expires_at` | Date | no | Token expires at midnight UTC on that date                                                                                                  |

 ```shell
 curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" \

--- a/doc/user/group/settings/group_access_tokens.md
+++ b/doc/user/group/settings/group_access_tokens.md
@@ -147,9 +147,12 @@ Even when creation is disabled, you can still use and revoke existing group acce

 ## Bot users for groups

-Each time you create a group access token, a bot user is created and added to the group.
-These bot users are similar to [bot users for projects](../../project/settings/project_access_tokens.md#bot-users-for-projects),
-except they are added to groups instead of projects.
-These bot users do not count as licensed seats.
+Each time you create a group access token, a bot user is created and added to the group. These bot users are similar to
+[bot users for projects](../../project/settings/project_access_tokens.md#bot-users-for-projects), except they are added
+to groups instead of projects. Bot users for groups:
+
+- Do not count as licensed seats.
+- Can have a maximum role of Owner for a group. For more information, see
+  [Create a group access token](../../../api/group_access_tokens.md#create-a-group-access-token).

 For more information, see [Bot users for projects](../../project/settings/project_access_tokens.md#bot-users-for-projects).
--- a/doc/user/project/settings/project_access_tokens.md
+++ b/doc/user/project/settings/project_access_tokens.md
@@ -43,6 +43,8 @@ configured for personal access tokens.

 ## Create a project access token

+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/89114) in GitLab 15.1, Owners can select Owner role for project access tokens.
+
 To create a project access token:

 1. On the top bar, select **Menu > Projects** and find your project.
@@ -102,8 +104,6 @@ These bot users do not count as licensed seats.
 The bot users for projects have [permissions](../../permissions.md#project-members-permissions) that correspond with the
 selected role and [scope](#scopes-for-a-project-access-token) of the project access token.

-**Note** Project maintainers cannot select Owner role for bot users.
-
 - The name is set to the name of the token.
 - The username is set to `project_{project_id}_bot` for the first access token. For example, `project_123_bot`.
 - The email is set to `project{project_id}_bot@noreply.{Gitlab.config.gitlab.host}`. For example, `project123_bot@noreply.example.com`.
@@ -118,6 +118,8 @@ Bot users for projects:

 - Are included in a project's member list but cannot be modified.
 - Cannot be added to any other project.
+- Can have a maximum role of Owner for a project. For more information, see
+  [Create a project access token](../../../api/project_access_tokens.md#create-a-project-access-token).

 When the project access token is [revoked](#revoke-a-project-access-token):