How to remove Admin rights for Maintainer role?

How to Use GitLab
#1

Is it possible to not have Maintainers access to change the projects settings?

https://docs.gitlab.com/ee/user/project/settings/

Only project maintainers and administrators have the permissions to access a project settings .

We want to distinguish between Developers and Maintainers, but only GitLab admins should be able to change instance, group and project settinngs.

We want Maintainers to be the only one who can push changes to protected branches.
Setting Protected strategy to “Fully Protected” gives us that.
However these are still just Developers, and should not be allowed to change the projects settings.

They are the maintainers of the code, but not the project.

Seems there is a feature request for exactly this:

This issue mentiones editing the project_policy.rb to change permissions.
Is this possible? Can we edit this and remove all admin rights for Maintainers?

There are three such files on our GitLab EE v13.9.1 instance:

/opt/gitlab/embedded/service/gitlab-rails/ee/app/policies/ee/project_policy.rb
/opt/gitlab/embedded/service/gitlab-rails/app/policies/project_policy.rb
/opt/gitlab/embedded/service/gitlab-rails/app/policies/deploy_keys_project_policy.rb
#2

This is the permission model of GitLab. Maintainer is the highest permission on Project and has a predefined set of permissions and it means maintainer of the project not code. The name might be confusing since it is actually Project Admin, but I don’t think GitLab will change it.
You get the same on GitHub or Bitbucket. With Project Admin permission you can do anything on the project.

If you don’t want to give them the permissions then don’t give it to them. You can use other features to setup what you need, like Protected Branches and Code Owners

#3

It would require a little more configuration then.
If everyone is a developer, it makes it difficult to distinguish those with merge powers. The default branch protection involves Developers and Maintainers.
Then instead of setting a Role for who could push to protected branches I would need to define which developers for each project.

#4

I understand. You can try to modify the project_policy.rb files just keep in mind:

  • anything under ee/ directory is not Open source and it is licensed under GitLab commercial license. I don’t know if modification is allowed
  • you need to modify it again after each GitLab instance update
  • you need to restart GitLab after you modify the files