GitLab user for organisation and GitLab users permissions, does it really have to be Owner and why?

Hi,

We are using GitLab, GitLab CI and sonarcloud.io. Generally it is working great but there is one thing which is bugging us heavily. The GitLab User who is handling the comments etc. does need to be “Owner” and nothing else is supported.

I am curious why this is the case. So far the only thing i have seen is, that the user is commenting on Merge Requests (and this works with Reporter role too).
The Token with API access will still work, the analysis is done via GitLab CI so there is no need for further information.

Hence that we are curious, because we figured out it is working with fewer permissions also. So we:

  1. elevate the permissions of our sonarcloud bot user to owner
  2. Update the token in sonarcloud.io
  3. demote the user to reporter

We might miss here an edge case or functionality, it would be good to verify what functionality we might miss with less permissions and therefore higher security. (We try to avoid as many owner as possible)

Thank you

PS: the warning when adding the token states that the user has to be admin but it actually should be Owner as there is no such role as admin on GitLab SaaS :slight_smile:

Hello Simon,

Thank you for raising this important point with us.

The permissions required stems from restricting the token creation to an owner and member for the initial team creation and subsequent project import. For this feature we believe this is the correct approach.

Your finding does demonstrate that there is an opportunity to adjust the granularity of the permission structure to reduce the permissions required for subsequent activities. We have reproduced your findings locally with the Reporter role and seems to work well but it would require much more testing to verify there are no side effects.

The best route is an intentional design to allow this so we have added this suggestion to our product board.

I hope this helps.

Kind regards,
Mark Clements

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.