<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Manage on Software Factory</title><link>/use/tools/gitlab/manage/</link><description>Recent content in Manage on Software Factory</description><generator>Hugo</generator><language>en</language><atom:link href="/use/tools/gitlab/manage/index.xml" rel="self" type="application/rss+xml"/><item><title>Members &amp; Roles</title><link>/use/tools/gitlab/manage/roles/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/tools/gitlab/manage/roles/</guid><description>&lt;p&gt;GitLab uses a &lt;strong&gt;role-based access model&lt;/strong&gt; to control what members can see and do within a group
or project.
Each member is assigned a role that defines their permissions.&lt;/p&gt;
&lt;h2 id="roles-overview"&gt;Roles Overview&lt;a class="td-heading-self-link" href="#roles-overview" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;GitLab defines five base roles, from the most restricted to the most privileged:&lt;/p&gt;
&lt;table&gt;
 &lt;thead&gt;
 &lt;tr&gt;
 &lt;th&gt;Role&lt;/th&gt;
 &lt;th&gt;Typical permissions&lt;/th&gt;
 &lt;/tr&gt;
 &lt;/thead&gt;
 &lt;tbody&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;strong&gt;Guest&lt;/strong&gt;&lt;/td&gt;
 &lt;td&gt;View issues and epics, create issues (project members only)&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;strong&gt;Reporter&lt;/strong&gt;&lt;/td&gt;
 &lt;td&gt;Everything Guest can do, plus manage issues, labels, and milestones&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;strong&gt;Developer&lt;/strong&gt;&lt;/td&gt;
 &lt;td&gt;Everything Reporter can do, plus push code, create MRs, manage branches&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;strong&gt;Maintainer&lt;/strong&gt;&lt;/td&gt;
 &lt;td&gt;Everything Developer can do, plus manage project settings and members&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;strong&gt;Owner&lt;/strong&gt;&lt;/td&gt;
 &lt;td&gt;Full control, including group/project deletion (group level)&lt;/td&gt;
 &lt;/tr&gt;
 &lt;/tbody&gt;
&lt;/table&gt;

 &lt;div class="admonition note"&gt;
 &lt;div class="admonition-header"&gt;&lt;svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512"&gt;&lt;path d="M0 64C0 28.7 28.7 0 64 0L224 0l0 128c0 17.7 14.3 32 32 32l128 0 0 125.7-86.8 86.8c-10.3 10.3-17.5 23.1-21 37.2l-18.7 74.9c-2.3 9.2-1.8 18.8 1.3 27.5L64 512c-35.3 0-64-28.7-64-64L0 64zm384 64l-128 0L256 0 384 128zM549.8 235.7l14.4 14.4c15.6 15.6 15.6 40.9 0 56.6l-29.4 29.4-71-71 29.4-29.4c15.6-15.6 40.9-15.6 56.6 0zM311.9 417L441.1 287.8l71 71L382.9 487.9c-4.1 4.1-9.2 7-14.9 8.4l-60.1 15c-5.5 1.4-11.2-.2-15.2-4.2s-5.6-9.7-4.2-15.2l15-60.1c1.4-5.6 4.3-10.8 8.4-14.9z"/&gt;&lt;/svg&gt;
 &lt;span&gt;Note&lt;/span&gt;
 &lt;/div&gt;
 &lt;div class="admonition-content"&gt;
 &lt;p&gt;GitLab Ultimate also supports &lt;strong&gt;&lt;a href="https://docs.gitlab.com/user/custom_roles/" class="external-link" target="_blank" rel="noopener noreferrer"&gt;custom roles&lt;/a&gt;
&lt;/strong&gt;: roles built on top of a base role with
additional granular permissions (e.g., a Guest who can also read code).
Custom roles are configured at the instance level by a GitLab administrator.&lt;/p&gt;</description></item><item><title>Secrets</title><link>/use/tools/gitlab/manage/secrets/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/use/tools/gitlab/manage/secrets/</guid><description>&lt;p&gt;This document lists all secrets, tokens and credentials that can be configured and managed by a
&lt;strong&gt;non-administrator&lt;/strong&gt; user in GitLab.&lt;/p&gt;
&lt;p&gt;For each item, a concise explanation of its usage and a link to the official documentation are
provided.&lt;/p&gt;
&lt;h2 id="quick-selection-guide"&gt;Quick Selection Guide&lt;a class="td-heading-self-link" href="#quick-selection-guide" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;p&gt;Choose the appropriate credential type based on your needs:&lt;/p&gt;
&lt;table&gt;
 &lt;thead&gt;
 &lt;tr&gt;
 &lt;th&gt;Your Need&lt;/th&gt;
 &lt;th&gt;Recommended Credential&lt;/th&gt;
 &lt;/tr&gt;
 &lt;/thead&gt;
 &lt;tbody&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;strong&gt;Tokens&lt;/strong&gt;&lt;/td&gt;
 &lt;td&gt;&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;Personal development via HTTPS&lt;/td&gt;
 &lt;td&gt;&lt;a href="/use/tools/gitlab/manage/secrets/#personal-access-tokens-pats"&gt;Personal Access Tokens&lt;/a&gt;
&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;Automated access to one project&lt;/td&gt;
 &lt;td&gt;&lt;a href="/use/tools/gitlab/manage/secrets/#project-access-tokens"&gt;Project Access Tokens&lt;/a&gt;
&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;Automated access across a group/subgroup&lt;/td&gt;
 &lt;td&gt;&lt;a href="/use/tools/gitlab/manage/secrets/#group-access-tokens"&gt;Group Access Tokens&lt;/a&gt;
&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;Deploy/pull code in production&lt;/td&gt;
 &lt;td&gt;&lt;a href="/use/tools/gitlab/manage/secrets/#deploy-tokens"&gt;Deploy Tokens&lt;/a&gt;
&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;Access GitLab within pipeline jobs&lt;/td&gt;
 &lt;td&gt;&lt;a href="/use/tools/gitlab/manage/secrets/#cicd-job-tokens"&gt;CI/CD Job Tokens&lt;/a&gt;
&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;strong&gt;Keys&lt;/strong&gt;&lt;/td&gt;
 &lt;td&gt;&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;Personal development via SSH&lt;/td&gt;
 &lt;td&gt;&lt;a href="/use/tools/gitlab/manage/secrets/#ssh-keys"&gt;SSH Keys&lt;/a&gt;
&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;SSH access from external servers&lt;/td&gt;
 &lt;td&gt;&lt;a href="/use/tools/gitlab/manage/secrets/#deploy-keys"&gt;Deploy Keys&lt;/a&gt;
&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;&lt;strong&gt;CI/CD Variables&lt;/strong&gt;&lt;/td&gt;
 &lt;td&gt;&lt;/td&gt;
 &lt;/tr&gt;
 &lt;tr&gt;
 &lt;td&gt;Store credentials in pipelines&lt;/td&gt;
 &lt;td&gt;&lt;a href="/use/tools/gitlab/manage/secrets/#cicd-variables"&gt;CI/CD Variables (masked)&lt;/a&gt;
&lt;/td&gt;
 &lt;/tr&gt;
 &lt;/tbody&gt;
&lt;/table&gt;

 &lt;div class="admonition important"&gt;
 &lt;div class="admonition-header"&gt;&lt;svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"&gt;&lt;path d="M256 512A256 256 0 1 0 256 0a256 256 0 1 0 0 512zm0-384c13.3 0 24 10.7 24 24l0 112c0 13.3-10.7 24-24 24s-24-10.7-24-24l0-112c0-13.3 10.7-24 24-24zM224 352a32 32 0 1 1 64 0 32 32 0 1 1 -64 0z"/&gt;&lt;/svg&gt;
 &lt;span&gt;Important&lt;/span&gt;
 &lt;/div&gt;
 &lt;div class="admonition-content"&gt;
 &lt;ul&gt;
&lt;li&gt;Use descriptive names and/or descriptions&lt;/li&gt;
&lt;li&gt;Create a new key/token for each use case—don&amp;rsquo;t reuse tokens across multiple places&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Preserve auditability:&lt;/strong&gt; Individual secret with clear purposes allows you to track usage and
quickly identify which secret can be revoked or rotated if needed.&lt;/li&gt;
&lt;/ul&gt;
 &lt;/div&gt;
 &lt;/div&gt;&lt;h2 id="tokens"&gt;Tokens&lt;a class="td-heading-self-link" href="#tokens" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;
&lt;div class="admonition success"&gt;
 &lt;div class="admonition-header"&gt;&lt;svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"&gt;&lt;path d="M256 512A256 256 0 1 0 256 0a256 256 0 1 0 0 512zM369 209L241 337c-9.4 9.4-24.6 9.4-33.9 0l-64-64c-9.4-9.4-9.4-24.6 0-33.9s24.6-9.4 33.9 0l47 47L335 175c9.4-9.4 24.6-9.4 33.9 0s9.4 24.6 0 33.9z"/&gt;&lt;/svg&gt;
 &lt;span&gt;Software Factory Recommendations&lt;/span&gt;
 &lt;/div&gt;
 &lt;div class="admonition-content"&gt;&lt;ul&gt;
&lt;li&gt;Define an expiration date according to your operational needs&lt;/li&gt;
&lt;li&gt;Select only necessary permissions (use &lt;code&gt;read_repository&lt;/code&gt; instead of &lt;code&gt;api&lt;/code&gt; when possible)&lt;/li&gt;
&lt;li&gt;Use the rotation feature (&lt;code&gt;self_rotate&lt;/code&gt;) if available&lt;/li&gt;
&lt;/ul&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3 id="personal-access-tokens-pats"&gt;Personal Access Tokens (PATs)&lt;a class="td-heading-self-link" href="#personal-access-tokens-pats" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h3&gt;
&lt;p&gt;Personal access tokens serve as authentication credentials that function as password substitutes.&lt;/p&gt;</description></item></channel></rss>