Hello,

I am trying to have users access a group’s Package Registry, where different users have different permissions:

Current situation

My group contains multiple projects, each with its own PyPI packages in the Package Registry:

|- Root
   |- Project A
   |- Project B
   |- Project C

User A has Developer access to group Root (and therefore all projects), but User B only has access to Project A and Project B.

When using the web UI, in the group’s Package Registry, User A sees all packages and User B sees only packages that are in Project A and Project B: this is the behavior I am looking for.

What I want to do

Users install packages with pip. I want to use the group-level registry to have only one URL in the pip config file (new projects may be added to the group and I don’t want to have to edit the config file each time).

What I would like is therefore to give each user the API endpoint for the group-level registry ({GITLAB_URL}/api/v4/groups/{GROUP_ID}/-/packages/pypi/simple) and have them use it with their personal access token.

Each user could then install all packages they should be able to access, with a single, fixed endpoint.

What I observe

User A can install all packages from the group-level endpoint.

However, User B cannot install anything: the end-point replies with 403: Forbidden. This is unexpected since, in the web UI, User B has access to the group’s package registry (see above).

Am I doing something wrong? Or is this feature not supported by GitLab?