User roles

This reference is meant to be a quick guide to the role types that are available for use when setting user permissions for namespace, subgroup, team, and project roles.

Related Documentation

• Namespace configuration guide: Guide to using the Infrastructure-as-Code configuration project to configure your namespace
• Configuration schema reference: Reference for all of the allowed settings for the cg-workshop.yml file

Where to set roles

Within your config project roles are set via:

• var.namespace_roles in settings.auto.tfvars
• In yaml config files with the keys:
  • subgroups.members
  • subgroups.group_roles
  • projects.group_roles
  • teams.namespace_role
  • teams.managed_projects_role

Default roles

The following default roles are available to use any place roles can be set:

• guests
• planners
• reporters
• developers
• maintainers

See GitLab roles help for information on what permissions are granted to each role.

In addition, the owners role can be used for subgroup, team, or project permission. The owners role cannot be used on the entire namespace.

tip

Please send us a support request to update your list of namespace owners.

Custom roles

We also support a value of devops when setting roles on the namespace, on subgroups, or on teams.

warning

Custom roles are not currently supported on projects.group_roles or teams.managed_projects_role

DevOps

The devops role has all of the same permissions as developers and adds on:

• Read/write access to GitLab's terraform state files.
• Read/write access to GitLab's CI/CD variables.

Requesting a new custom role

Please send an email to workshop-support@cloud.gov to request a new custom role.

note

Custom roles are available across the entire Workshop instance, and are limited in number. For that reason, we may not be able to create a custom role for extremely narrow use cases.