From 9de9cb7fc5a9d455d0c9ffe63f57f8957cefae95 Mon Sep 17 00:00:00 2001
From: Joe Randazzo <jrandazzo@gitlab.com>
Date: Tue, 13 Aug 2024 09:38:58 +0000
Subject: [PATCH] Improve permissions table via separating by category: CI/CD
---
.../components/pipelines_table_wrapper.vue | 2 +-
.../legacy_pipelines_table_wrapper.vue | 2 +-
doc/ci/debugging.md | 2 +-
doc/ci/environments/protected_environments.md | 2 +-
doc/ci/git_submodules.md | 2 +-
doc/ci/jobs/ci_job_token.md | 2 +-
doc/ci/jobs/job_troubleshooting.md | 2 +-
doc/ci/pipelines/merge_request_pipelines.md | 2 +-
doc/ci/pipelines/settings.md | 2 +-
doc/ci/variables/index.md | 2 +-
doc/user/permissions.md | 143 +++++++++---------
.../pipelines_table_wrapper_spec.js | 2 +-
.../legacy_pipelines_table_wrapper_spec.js | 2 +-
13 files changed, 86 insertions(+), 81 deletions(-)
diff --git a/app/assets/javascripts/ci/merge_requests/components/pipelines_table_wrapper.vue b/app/assets/javascripts/ci/merge_requests/components/pipelines_table_wrapper.vue
index e22eb494fa0e..2be69de18242 100644
--- a/app/assets/javascripts/ci/merge_requests/components/pipelines_table_wrapper.vue
+++ b/app/assets/javascripts/ci/merge_requests/components/pipelines_table_wrapper.vue
@@ -265,7 +265,7 @@ export default {
},
),
userPermissionsDocsPath: helpPagePath('user/permissions.md', {
- anchor: 'gitlab-cicd-permissions',
+ anchor: 'cicd',
}),
};
</script>
diff --git a/app/assets/javascripts/commit/pipelines/legacy_pipelines_table_wrapper.vue b/app/assets/javascripts/commit/pipelines/legacy_pipelines_table_wrapper.vue
index d9c609c3042d..ca304ffa793e 100644
--- a/app/assets/javascripts/commit/pipelines/legacy_pipelines_table_wrapper.vue
+++ b/app/assets/javascripts/commit/pipelines/legacy_pipelines_table_wrapper.vue
@@ -207,7 +207,7 @@ export default {
anchor: 'prerequisites',
}),
userPermissionsDocsPath: helpPagePath('user/permissions.md', {
- anchor: 'gitlab-cicd-permissions',
+ anchor: 'cicd',
}),
runPipelinesInTheParentProjectHelpPath: helpPagePath(
'/ci/pipelines/merge_request_pipelines.html',
diff --git a/doc/ci/debugging.md b/doc/ci/debugging.md
index ef77a93792ff..a57cf0272570 100644
--- a/doc/ci/debugging.md
+++ b/doc/ci/debugging.md
@@ -408,7 +408,7 @@ To resolve this, check that:
- The path of the project is in the format `my-group/my-project` and does not include
any folders in the repository.
- The user running the pipeline is a [member of the projects](../user/project/members/index.md#add-users-to-a-project)
- that contain the included files. Users must also have the [permission](../user/permissions.md#job-permissions)
+ that contain the included files. Users must also have the [permission](../user/permissions.md#cicd)
to run CI/CD jobs in the same projects.
### `The parsed YAML is too big` message
diff --git a/doc/ci/environments/protected_environments.md b/doc/ci/environments/protected_environments.md
index 3cb4e3895772..94b2d6857105 100644
--- a/doc/ci/environments/protected_environments.md
+++ b/doc/ci/environments/protected_environments.md
@@ -278,6 +278,6 @@ Protected environments can also be used to require manual approvals before deplo
### Reporter can't run a trigger job that deploys to a protected environment in downstream pipeline
-A user who has [deployment-only access to protected environments](#deployment-only-access-to-protected-environments) might **not** be able to run a job if it's with a [`trigger`](../yaml/index.md#trigger) keyword. This is because the job is missing the [`environment`](../yaml/index.md#environment) keyword definition to associate the job with the protected environment, therefore the job is recognized as a standard job that uses [regular CI/CD permission model](../../user/permissions.md#gitlab-cicd-permissions).
+A user who has [deployment-only access to protected environments](#deployment-only-access-to-protected-environments) might **not** be able to run a job if it's with a [`trigger`](../yaml/index.md#trigger) keyword. This is because the job is missing the [`environment`](../yaml/index.md#environment) keyword definition to associate the job with the protected environment, therefore the job is recognized as a standard job that uses [regular CI/CD permission model](../../user/permissions.md#cicd).
See [this issue](https://gitlab.com/groups/gitlab-org/-/epics/8483) for more information about supporting `environment` keyword with `trigger` keyword.
diff --git a/doc/ci/git_submodules.md b/doc/ci/git_submodules.md
index 041ab6275cde..3a685423605c 100644
--- a/doc/ci/git_submodules.md
+++ b/doc/ci/git_submodules.md
@@ -118,7 +118,7 @@ To make submodules work correctly in CI/CD jobs:
If you use the [`CI_JOB_TOKEN`](jobs/ci_job_token.md) to clone a submodule in a
pipeline job, the user executing the job must be assigned to a role that has
-[permission](../user/permissions.md#gitlab-cicd-permissions) to trigger a pipeline
+[permission](../user/permissions.md#cicd) to trigger a pipeline
in the upstream submodule project. Additionally, [CI/CD job token access](jobs/ci_job_token.md#control-job-token-access-to-your-project) must be properly configured in the upstream submodule project.
## Troubleshooting
diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md
index ea9a304c65c2..553000e33d21 100644
--- a/doc/ci/jobs/ci_job_token.md
+++ b/doc/ci/jobs/ci_job_token.md
@@ -19,7 +19,7 @@ Use a CI/CD job token to authenticate with certain GitLab features from running
The token receives the same access level as the user that triggered the pipeline,
but has access to fewer resources than a personal access token. A user can cause a job to run
with an action like pushing a commit, triggering a manual job, or being the owner of a scheduled pipeline.
-This user must have a [role that has the required privileges](../../user/permissions.md#gitlab-cicd-permissions)
+This user must have a [role that has the required privileges](../../user/permissions.md#cicd)
to access the resources.
You can use a job token to authenticate with GitLab to access another group or project's resources (the target project).
diff --git a/doc/ci/jobs/job_troubleshooting.md b/doc/ci/jobs/job_troubleshooting.md
index d35bca87a218..79f21651fdcc 100644
--- a/doc/ci/jobs/job_troubleshooting.md
+++ b/doc/ci/jobs/job_troubleshooting.md
@@ -55,7 +55,7 @@ depending on factors like the keyword used, or the shell and OS of the runner.
You might see pipelines fail when a GitLab administrator runs a protected manual job
in a private project.
-CI/CD jobs usually clone the project when the job starts, and this uses [the permissions](../../user/permissions.md#job-permissions)
+CI/CD jobs usually clone the project when the job starts, and this uses [the permissions](../../user/permissions.md#cicd)
of the user that runs the job. All users, including administrators, must be direct members
of a private project to clone the source of that project. [An issue exists](https://gitlab.com/gitlab-org/gitlab/-/issues/23130)
to change this behavior.
diff --git a/doc/ci/pipelines/merge_request_pipelines.md b/doc/ci/pipelines/merge_request_pipelines.md
index 5776ea8283f9..d8bbe83f64e9 100644
--- a/doc/ci/pipelines/merge_request_pipelines.md
+++ b/doc/ci/pipelines/merge_request_pipelines.md
@@ -118,7 +118,7 @@ Prerequisites:
- The parent project's `.gitlab-ci.yml` file must be configured to
[run jobs in merge request pipelines](#prerequisites).
-- You must be a member of the parent project with [permissions to run CI/CD pipelines](../../user/permissions.md#gitlab-cicd-permissions).
+- You must be a member of the parent project with [permissions to run CI/CD pipelines](../../user/permissions.md#cicd).
You might need additional permissions if the branch is protected.
- The fork project must be [visible](../../user/public_access.md) to the
user running the pipeline. Otherwise, the **Pipelines** tab does not display
diff --git a/doc/ci/pipelines/settings.md b/doc/ci/pipelines/settings.md
index 86609ebe5f3e..68a375aa4c4b 100644
--- a/doc/ci/pipelines/settings.md
+++ b/doc/ci/pipelines/settings.md
@@ -67,7 +67,7 @@ To change the pipeline visibility for non-project members:
- **Everyone With Access**: Non-project members can also view pipelines.
1. Select **Save changes**.
-The [CI/CD permissions table](../../user/permissions.md#gitlab-cicd-permissions)
+The [CI/CD permissions table](../../user/permissions.md#cicd)
lists the pipeline features non-project members can access when **Everyone With Access**
is selected.
diff --git a/doc/ci/variables/index.md b/doc/ci/variables/index.md
index 6c4ea8ee3e84..37d8c5d626d0 100644
--- a/doc/ci/variables/index.md
+++ b/doc/ci/variables/index.md
@@ -1020,7 +1020,7 @@ if [[ -d "/builds/gitlab-examples/ci-debug-trace/.git" ]]; then
#### Access to debug logging
-Access to debug logging is restricted to [users with at least the Developer role](../../user/permissions.md#gitlab-cicd-permissions). Users with a lower role cannot see the logs when debug logging is enabled with a variable in:
+Access to debug logging is restricted to [users with at least the Developer role](../../user/permissions.md#cicd). Users with a lower role cannot see the logs when debug logging is enabled with a variable in:
- The [`.gitlab-ci.yml` file](#define-a-cicd-variable-in-the-gitlab-ciyml-file).
- The CI/CD variables set in the GitLab UI.
diff --git a/doc/user/permissions.md b/doc/user/permissions.md
index 5dea059437d7..30bd7180845e 100644
--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -92,13 +92,10 @@ The following table lists project permissions available for each role:
| [Project operations](../operations/index.md):<br>Manage [Error Tracking](../operations/error_tracking.md) | | | | ✓ | ✓ | |
| [Projects](project/index.md):<br>Reposition comments on images (posted by any user) | ✓ | ✓ | ✓ | ✓ | ✓ | Applies only to comments on [Design Management](project/issues/design_management.md) designs. |
| [Projects](project/index.md):<br>View [Insights](project/insights/index.md) | ✓ | ✓ | ✓ | ✓ | ✓ | |
-| [Projects](project/index.md):<br>View [releases](project/releases/index.md) | ✓ | ✓ | ✓ | ✓ | ✓ | Guest users can access GitLab [**Releases**](project/releases/index.md) for downloading assets but are not allowed to download the source code nor see [repository information like commits and release evidence](project/releases/index.md#view-a-release-and-download-assets). |
| [Projects](project/index.md):<br>View [Requirements](project/requirements/index.md) | ✓ | ✓ | ✓ | ✓ | ✓ | |
| [Projects](project/index.md):<br>View [time tracking](project/time_tracking.md) reports | ✓ | ✓ | ✓ | ✓ | ✓ | On self-managed GitLab instances, users with the Guest role are able to perform this action only on public and internal projects (not on private projects). [External users](../administration/external_users.md) must be given explicit access (at least the **Reporter** role) even if the project is internal. Users with the Guest role on GitLab.com are only able to perform this action on public projects because internal visibility is not available. |
| [Projects](project/index.md):<br>Create [snippets](snippets.md) | | ✓ | ✓ | ✓ | ✓ | |
| [Projects](project/index.md):<br>View [project traffic statistics](../api/project_statistics.md) | | ✓ | ✓ | ✓ | ✓ | |
-| [Projects](project/index.md):<br>Create, edit, delete [releases](project/releases/index.md) | | | ✓ | ✓ | ✓ | If the [tag is protected](project/protected_tags.md), this depends on the access given to Developers and Maintainers. |
-| [Projects](project/index.md):<br>Enable [review apps](../ci/review_apps/index.md) | | | ✓ | ✓ | ✓ | |
| [Projects](project/index.md):<br>Add [deploy keys](project/deploy_keys/index.md) | | | | ✓ | ✓ | |
| [Projects](project/index.md):<br>Manage [Project Operations](../operations/index.md) | | | | ✓ | ✓ | |
| [Projects](project/index.md): View [Usage Quotas](usage_quotas.md) page | | | | ✓ | ✓ | |
@@ -131,6 +128,66 @@ Project permissions for [application security](application_security/secure_your_
| Create or assign [security policy project](application_security/policies/index.md) | | | | | ✓ | |
| Manage [security configurations](application_security/configuration/index.md) | | | | | ✓ | |
+### CI/CD
+
+[GitLab CI/CD](../ci/index.md) permissions for some roles can be modified by these settings:
+
+- [Public pipelines](../ci/pipelines/settings.md#change-which-users-can-view-your-pipelines):
+ When set to public, gives access to certain CI/CD features to *Guest* project members.
+- [Pipeline visibility](../ci/pipelines/settings.md#change-pipeline-visibility-for-non-project-members-in-public-projects):
+ When set to **Everyone with Access**, gives access to certain CI/CD "view" features to *non-project* members.
+
+Project Owners can do any listed action, and also can delete pipelines:
+
+| Action | Non-member | Guest | Reporter | Developer | Maintainer | Notes |
+|--------------------------------------------------------------------------------------------------------------------------------|:----------:|:-----:|:--------:|:---------:|:----------:|-------|
+| See that artifacts exist | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members and guests: Only if the project is public. |
+| View a list of jobs | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members: Only if the project is public and **Public pipelines** is enabled in **Project Settings > CI/CD**.<br>Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD**. |
+| View and download artifacts | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members: Only if the project is public, **Public pipelines** is enabled in **Project Settings > CI/CD**, and [`artifacts:public: false`](../ci/yaml/index.md#artifactspublic) is not set on the job.<br>Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD** and `artifacts:public: false` is not set on the job.<br>Reporters: Only if `artifacts:public: false` is not set on the job. |
+| View [environments](../ci/environments/index.md) | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members and guests: Only if the project is public. |
+| View job logs and job details page | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members: Only if the project is public and **Public pipelines** is enabled in **Project Settings > CI/CD**.<br>Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD**. |
+| View pipelines and pipeline details pages | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members: Only if the project is public and **Public pipelines** is enabled in **Project Settings > CI/CD**.<br>Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD**. |
+| View pipelines tab in MR | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members and guests: Only if the project is public. |
+| [View vulnerabilities in a pipeline](application_security/vulnerability_report/pipeline.md#view-vulnerabilities-in-a-pipeline) | | ✓ | ✓ | ✓ | ✓ | Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD**. |
+| Run deployment job for a protected environment | | | ✓ | ✓ | ✓ | Reporters: Only if the user is [part of a group with access to the protected environment](../ci/environments/protected_environments.md#deployment-only-access-to-protected-environments).<br>Developers and maintainers: Only if the user is [allowed to deploy to the protected branch](../ci/environments/protected_environments.md#protecting-environments). |
+| View and download project [Secure Files](../api/secure_files.md) | | | | ✓ | ✓ | |
+| Retry jobs | | | | ✓ | ✓ | |
+| Cancel jobs | | | | ✓ | ✓ | Cancellation permissions can be [restricted in the pipeline settings](../ci/pipelines/settings.md#restrict-roles-that-can-cancel-pipelines-or-jobs). |
+| Create new [environments](../ci/environments/index.md) | | | | ✓ | ✓ | |
+| Enable [review apps](../ci/review_apps/index.md) | | | | ✓ | ✓ | |
+| Delete job logs or job artifacts | | | | ✓ | ✓ | Developers: Only if the job was triggered by the user and runs for a non-protected branch. |
+| Run CI/CD pipeline | | | | ✓ | ✓ | |
+| Run CI/CD job | | | | ✓ | ✓ | |
+| Run CI/CD pipeline for a protected branch | | | | ✓ | ✓ | Developers and maintainers: Only if the user is [allowed to merge or push to the protected branch](../ci/pipelines/index.md#pipeline-security-on-protected-branches). |
+| Stop [environments](../ci/environments/index.md) | | | | ✓ | ✓ | |
+| View a job with [debug logging](../ci/variables/index.md#enable-debug-logging) | | | | ✓ | ✓ | |
+| Use pipeline editor | | | | ✓ | ✓ | |
+| Run [interactive web terminals](../ci/interactive_web_terminal/index.md) | | | | ✓ | ✓ | |
+| Add project runners to project | | | | | ✓ | |
+| Clear runner caches manually | | | | | ✓ | |
+| Enable instance runners in project | | | | | ✓ | |
+| Manage CI/CD settings | | | | | ✓ | |
+| Manage job triggers | | | | | ✓ | |
+| Manage project CI/CD variables | | | | | ✓ | |
+| Manage project [Secure Files](../api/secure_files.md) | | | | | ✓ | |
+
+This table shows granted privileges for jobs triggered by specific roles.
+
+Project Owners can do any listed action, but no users can push source and LFS together.
+Guest users and members with the Reporter role cannot do any of these actions.
+
+| Action | Developer | Maintainer | Notes |
+|----------------------------------------------|:---------:|:----------:|-------|
+| Clone source and LFS from current project | ✓ | ✓ | |
+| Clone source and LFS from public projects | ✓ | ✓ | |
+| Clone source and LFS from internal projects | ✓ | ✓ | Developers and Maintainers: Only if the triggering user is not an external user. |
+| Clone source and LFS from private projects | ✓ | ✓ | Only if the triggering user is a member of the project. See also [Usage of private Docker images with `if-not-present` pull policy](https://docs.gitlab.com/runner/security/index.html#usage-of-private-docker-images-with-if-not-present-pull-policy). |
+| Pull container images from current project | ✓ | ✓ | |
+| Pull container images from public projects | ✓ | ✓ | |
+| Pull container images from internal projects | ✓ | ✓ | Developers and Maintainers: Only if the triggering user is not an external user. |
+| Pull container images from private projects | ✓ | ✓ | Only if the triggering user is a member of the project. See also [Usage of private Docker images with `if-not-present` pull policy](https://docs.gitlab.com/runner/security/index.html#usage-of-private-docker-images-with-if-not-present-pull-policy). |
+| Push container images to current project | ✓ | ✓ | You cannot push container images to other projects. |
+
### Compliance
Project permissions for [compliance](compliance/index.md) features including compliance center, audit events, compliance frameworks, and licenses.
@@ -228,6 +285,8 @@ Project permissions for [project features](project/organize_work_with_projects.m
|---------------------------------------------------------------------------|:-----:|:--------:|:---------:|:----------:|:-----:|-------|
| Download project | ✓ | ✓ | ✓ | ✓ | ✓ | On self-managed GitLab instances, users with the Guest role are able to perform this action only on public and internal projects (not on private projects). [External users](../administration/external_users.md) must be given explicit access (at least the **Reporter** role) even if the project is internal. Users with the Guest role on GitLab.com are only able to perform this action on public projects because internal visibility is not available. |
| Leave comments | ✓ | ✓ | ✓ | ✓ | ✓ | |
+| View [releases](project/releases/index.md) | | | ✓ | ✓ | ✓ | Guest users can access GitLab [**Releases**](project/releases/index.md) for downloading assets but are not allowed to download the source code nor see [repository information like commits and release evidence](project/releases/index.md#view-a-release-and-download-assets). |
+| Manage [releases](project/releases/index.md) | | | | ✓ | ✓ | If the [tag is protected](project/protected_tags.md), this depends on the access given to Developers and Maintainers. |
| Configure [webhooks](project/integrations/webhooks.md) | | | | ✓ | ✓ | |
| Manage [project access tokens](project/settings/project_access_tokens.md) | | | | ✓ | ✓ | For self-managed GitLab, project access tokens are available in all tiers. For GitLab.com, project access tokens are supported in the Premium and Ultimate tier (excluding [trial licenses](https://about.gitlab.com/free-trial/)). |
| [Export project](project/settings/import_export.md) | | | | ✓ | ✓ | |
@@ -286,68 +345,6 @@ Project permissions for [user management](project/members/index.md).
| Share (invite) projects with groups | | | | ✓ | ✓ | When [Share Group Lock](group/access_and_permissions.md#prevent-a-project-from-being-shared-with-groups) is enabled the project can't be shared with other groups. It does not affect group with group sharing. |
| View 2FA status of members | | | | ✓ | ✓ | |
-### GitLab CI/CD permissions
-
-[GitLab CI/CD](../ci/index.md) permissions for some roles can be modified by these settings:
-
-- [Public pipelines](../ci/pipelines/settings.md#change-which-users-can-view-your-pipelines):
- When set to public, gives access to certain CI/CD features to *Guest* project members.
-- [Pipeline visibility](../ci/pipelines/settings.md#change-pipeline-visibility-for-non-project-members-in-public-projects):
- When set to **Everyone with Access**, gives access to certain CI/CD "view" features to *non-project* members.
-
-Project Owners can do any listed action, and also can delete pipelines:
-
-| Action | Non-member | Guest | Reporter | Developer | Maintainer | Notes |
-|--------------------------------------------------------------------------------------------------------------------------------|:----------:|:-----:|:--------:|:---------:|:----------:|-------|
-| See that artifacts exist | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members and guests: Only if the project is public. |
-| View a list of jobs | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members: Only if the project is public and **Public pipelines** is enabled in **Project Settings > CI/CD**.<br>Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD**. |
-| View and download artifacts | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members: Only if the project is public, **Public pipelines** is enabled in **Project Settings > CI/CD**, and [`artifacts:public: false`](../ci/yaml/index.md#artifactspublic) is not set on the job.<br>Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD** and `artifacts:public: false` is not set on the job.<br>Reporters: Only if `artifacts:public: false` is not set on the job. |
-| View [environments](../ci/environments/index.md) | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members and guests: Only if the project is public. |
-| View job logs and job details page | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members: Only if the project is public and **Public pipelines** is enabled in **Project Settings > CI/CD**.<br>Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD**. |
-| View pipelines and pipeline details pages | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members: Only if the project is public and **Public pipelines** is enabled in **Project Settings > CI/CD**.<br>Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD**. |
-| View pipelines tab in MR | ✓ | ✓ | ✓ | ✓ | ✓ | Non-members and guests: Only if the project is public. |
-| [View vulnerabilities in a pipeline](application_security/vulnerability_report/pipeline.md#view-vulnerabilities-in-a-pipeline) | | ✓ | ✓ | ✓ | ✓ | Guests: Only if **Public pipelines** is enabled in **Project Settings > CI/CD**. |
-| Run deployment job for a protected environment | | | ✓ | ✓ | ✓ | Reporters: Only if the user is [part of a group with access to the protected environment](../ci/environments/protected_environments.md#deployment-only-access-to-protected-environments).<br>Developers and maintainers: Only if the user is [allowed to deploy to the protected branch](../ci/environments/protected_environments.md#protecting-environments). |
-| View and download project [Secure Files](../api/secure_files.md) | | | | ✓ | ✓ | |
-| Retry jobs | | | | ✓ | ✓ | |
-| Cancel jobs | | | | ✓ | ✓ | Cancellation permissions can be [restricted in the pipeline settings](../ci/pipelines/settings.md#restrict-roles-that-can-cancel-pipelines-or-jobs). |
-| Create new [environments](../ci/environments/index.md) | | | | ✓ | ✓ | |
-| Delete job logs or job artifacts | | | | ✓ | ✓ | Developers: Only if the job was triggered by the user and runs for a non-protected branch. |
-| Run CI/CD pipeline | | | | ✓ | ✓ | |
-| Run CI/CD job | | | | ✓ | ✓ | |
-| Run CI/CD pipeline for a protected branch | | | | ✓ | ✓ | Developers and maintainers: Only if the user is [allowed to merge or push to the protected branch](../ci/pipelines/index.md#pipeline-security-on-protected-branches). |
-| Stop [environments](../ci/environments/index.md) | | | | ✓ | ✓ | |
-| View a job with [debug logging](../ci/variables/index.md#enable-debug-logging) | | | | ✓ | ✓ | |
-| Use pipeline editor | | | | ✓ | ✓ | |
-| Run [interactive web terminals](../ci/interactive_web_terminal/index.md) | | | | ✓ | ✓ | |
-| Add project runners to project | | | | | ✓ | |
-| Clear runner caches manually | | | | | ✓ | |
-| Enable instance runners in project | | | | | ✓ | |
-| Manage CI/CD settings | | | | | ✓ | |
-| Manage job triggers | | | | | ✓ | |
-| Manage project CI/CD variables | | | | | ✓ | |
-| Manage project [Secure Files](../api/secure_files.md) | | | | | ✓ | |
-| Use [environment terminals](../ci/environments/index.md#web-terminals-deprecated) | | | | | ✓ | |
-
-#### Job permissions
-
-This table shows granted privileges for jobs triggered by specific roles.
-
-Project Owners can do any listed action, but no users can push source and LFS together.
-Guest users and members with the Reporter role cannot do any of these actions.
-
-| Action | Developer | Maintainer | Notes |
-|----------------------------------------------|:---------:|:----------:|-------|
-| Clone source and LFS from current project | ✓ | ✓ | |
-| Clone source and LFS from public projects | ✓ | ✓ | |
-| Clone source and LFS from internal projects | ✓ | ✓ | Developers and Maintainers: Only if the triggering user is not an external user. |
-| Clone source and LFS from private projects | ✓ | ✓ | Only if the triggering user is a member of the project. See also [Usage of private Docker images with `if-not-present` pull policy](https://docs.gitlab.com/runner/security/index.html#usage-of-private-docker-images-with-if-not-present-pull-policy). |
-| Pull container images from current project | ✓ | ✓ | |
-| Pull container images from public projects | ✓ | ✓ | |
-| Pull container images from internal projects | ✓ | ✓ | Developers and Maintainers: Only if the triggering user is not an external user. |
-| Pull container images from private projects | ✓ | ✓ | Only if the triggering user is a member of the project. See also [Usage of private Docker images with `if-not-present` pull policy](https://docs.gitlab.com/runner/security/index.html#usage-of-private-docker-images-with-if-not-present-pull-policy). |
-| Push container images to current project | ✓ | ✓ | You cannot push container images to other projects. |
-
### GitLab Duo
Project permissions for [GitLab Duo](gitlab_duo/index.md):
@@ -378,10 +375,6 @@ The following table lists group permissions available for each role:
| View metrics dashboard annotations | | ✓ | ✓ | ✓ | ✓ | |
| Create/edit/delete metrics dashboard annotations | | | ✓ | ✓ | ✓ | |
| View group audit events | | | ✓ | ✓ | ✓ | Developers and Maintainers can only view events based on their individual actions. |
-| View group runners | | | | ✓ | ✓ | |
-| View/manage group-level Kubernetes cluster | | | | ✓ | ✓ | |
-| Manage group level CI/CD variables | | | | | ✓ | |
-| Manage group runners | | | | | ✓ | |
| Map or unmap workspace cluster agents to and from a group | | | | | ✓ | |
| View workspace cluster agents mapped to a group | | | | ✓ | ✓ | |
@@ -396,6 +389,18 @@ Group permissions for [Application Security](application_security/secure_your_ap
| View [security dashboard](application_security/security_dashboard/index.md) | | | ✓ | ✓ | ✓ | |
| Create or assign [security policy project](application_security/policies/index.md) | | | | | ✓ | |
+### CI/CD
+
+Group permissions for [CI/CD](../ci/index.md):
+
+| Action | Guest | Reporter | Developer | Maintainer | Owner | Notes |
+|---------------------------------------|:-----:|:--------:|:---------:|:----------:|:-----:|-------|
+| Manage group-level Kubernetes cluster | | | | ✓ | ✓ | |
+| View group runners | | | | ✓ | ✓ | |
+| Manage group runners | | | | | ✓ | |
+| Manage group level CI/CD variables | | | | | ✓ | |
+| Manage group protected environments | | | | | ✓ | |
+
### Compliance
Groups permissions for [compliance](compliance/index.md) features including compliance center, audit events, compliance frameworks, and licenses.
diff --git a/spec/frontend/ci/merge_requests/components/pipelines_table_wrapper_spec.js b/spec/frontend/ci/merge_requests/components/pipelines_table_wrapper_spec.js
index 147a9b554829..f7e036adb3f8 100644
--- a/spec/frontend/ci/merge_requests/components/pipelines_table_wrapper_spec.js
+++ b/spec/frontend/ci/merge_requests/components/pipelines_table_wrapper_spec.js
@@ -171,7 +171,7 @@ describe('PipelinesTableWrapper component', () => {
'/help/ci/pipelines/merge_request_pipelines.md#prerequisites',
);
expect(findUserPermissionsDocsLink().attributes('href')).toBe(
- '/help/user/permissions.md#gitlab-cicd-permissions',
+ '/help/user/permissions.md#cicd',
);
expect(findEmptyState().text()).toContain('To run a merge request pipeline');
diff --git a/spec/frontend/commit/pipelines/legacy_pipelines_table_wrapper_spec.js b/spec/frontend/commit/pipelines/legacy_pipelines_table_wrapper_spec.js
index 0393254c7c1d..f50ae43349ec 100644
--- a/spec/frontend/commit/pipelines/legacy_pipelines_table_wrapper_spec.js
+++ b/spec/frontend/commit/pipelines/legacy_pipelines_table_wrapper_spec.js
@@ -93,7 +93,7 @@ describe('Pipelines table in Commits and Merge requests', () => {
'/help/ci/pipelines/merge_request_pipelines.md#prerequisites',
);
expect(findUserPermissionsDocsLink().attributes('href')).toBe(
- '/help/user/permissions.md#gitlab-cicd-permissions',
+ '/help/user/permissions.md#cicd',
);
expect(findEmptyState().text()).toContain(
'To run a merge request pipeline, the jobs in the CI/CD configuration file must be configured to run in merge request pipelines ' +
--
GitLab