 Hey there, my name is Fernando and I'm part of Developer Relations here at GitLab and Welcome to video two of my series on principle of lease privileges Today, I'll be going over custom roles and granular security permissions And how they can help you further strengthen principle of lease privileges within your organization Custom roles allow group members who are assigned the owner role to create roles Specific to the needs of their organization. Now the way this works is as an owner of a group I can go ahead and add a new member and Provide them with the guest role The guest role is the role within GitLab with the most limited set of permissions available I can then apply a different set of granular permissions to that guest role Currently the following granular permissions are available to be applied to a custom role You can allow a guest role to view code view vulnerability reports and change the status of the vulnerabilities view the dependency list approve merge requests and manage group members Note that more granular permissions will be added within your versions of GitLab. All right now Let's see this all in action I'm going to be wearing this beanie to signify an administrator or Maintainer within a group who will be requesting a guest to perform a security audit Now this security auditor Must be a guest with only the additional permissions of viewing the vulnerability report so they can assess where the security risk is They should not be able to interact with the system in other ways such as editing or merging code Which can fail our build or pipeline? I'm going to be wearing this black beanie To signify the security auditor role Now let's get started The prerequisites for getting started creating a custom role are as follows You must be either an administrator of a self-managed instance or have the owner role in the group You are creating a custom role in if you're using GitLab sass You just need the latter the group must be in the ultimate tier You must have a personal access token with the API scope and you must have at least one private project So you can see the effect. All right, so let's get started I'm a security auditor here and I have access to ATX events which hosts projects for applications related to events occurring in Austin, Texas and What I'm going to do is you can see I am a guest and I go here to the EOS birthday event But I can't really do much within this project because of my role. So you can see I can look at issues and See what issues are there and I can comment on them But I don't have any access to anything related to security I can't really audit the system or perform anything with Vulnerabilities so I can't even tell if there are vulnerabilities within this system much less look at the code or anything else So now I need to tell my administrator to provide me with access to the vulnerability report But they shouldn't give me access to other items such as editing code. All right so now I'm logged in as the group owner and I'm going to go ahead and create a custom role for my security auditor I go to settings and roles and permissions and Here you can see that there are no custom roles within this group so I'm going to go ahead and add a new role and I'm going to base it off of the guest template. I'm going to name it security auditor and I'm going to say audit the system for vulnerabilities and I'm going to go ahead and give them access to be able to just read Vulnerabilities and not even be able to look at the source code itself So let me go ahead and create this new role We can see that the new role has been created with an idea of two the base role of guest and The permission of read vulnerability Now I must go ahead and apply this role to my member So now in my terminal I'm going to go ahead and run this core request to the GitLab API So that way I can go ahead and assign the member role ID of to which is the new security auditor role I've created give it access level 10, which is the access level for a guest and I'm going to apply that to The member 3 which is the security auditor within group 2, which is my ATX events group. I Press enter and you can see the custom role has been applied To the security audit boy member So I'm back the security auditor and I'm here in the EOS birthday project You can see that I still cannot see any code within the project But if you look now the secure tab is available and I can go ahead and access the vulnerability report and This vulnerability report allows me to see all the vulnerabilities within the system And I can sort by the different severities and actually perform the audit But you can see if I click on a vulnerability. I Have all this advanced data to let me audit the system and see what needs to be handled first and I can create issues from there But you can see that I can't change the status of it because my permissions were only to view and That's custom roles and granular permissions in a nutshell