GitLab · 2024–25 · Authorization

Custom Admin Role

Enterprise administrators needed a way to grant specific admin area access without handing over full system control. I designed a new permission layer that replaced GitLab's all-or-nothing admin model — reducing 250 overprivileged admins to the industry standard of 1–2.

Role
Lead Product Designer
Timeline
Nov 2024 – Feb 2025
Team
Authorization Engineering, PM, Product Security
Status
Shipped · GitLab 17.9
Overview Define Process Solution Outcomes
Overview
An all-or-nothing model that didn't scale.

GitLab's admin model was binary: full administrator access or none. For enterprise teams, support staff who needed read access to the admin area had to be granted full admin privileges — creating serious compliance and security exposure.

This was one of GitLab's top 5 security risks, and a blocker for enterprise customers in regulated industries.

Define
One decision shaped the entire system.

Before designing, I explored two fundamentally different models for how custom admin roles would relate to existing user types.

ConsiderationOR — New user type alongside Regular/AuditorAND — Permission layer on top of existing types
Mental modelReplaces familiar access level conceptBuilds on what admins already understand
ScalabilityDropdown grows with every new roleAdmin roles stay separate from member roles
ScopeGroups group/project access with admin permissionsAdmin area permissions stay cleanly separated
LDAP riskRisk of breaking existing integrationsAdditive — no disruption to existing setup

Users already understood Regular vs. Auditor. Adding custom admin permissions on top preserved that — and avoided a disruptive mental model shift.

Decision: AND operation — keep existing user types, add custom admin role as a separate permission layer. Validated with customers before any further design investment.

Process
Research-led, iteratively refined.
01
Current experience audit
Mapped existing flows for creating users, assigning access, filtering, and viewing roles — identifying where the all-or-nothing model created friction and compliance risk.
02
Design exploration
Explored both OR and AND models across key flows: assigning roles, creating roles, and viewing all roles in a table. Also explored three visual treatments for distinguishing admin vs. member roles.
03
Customer interviews + usability testing
Interviewed 2 enterprise customers to validate the AND model. Ran usability tests with 6 participants — high task completion across all flows. Key finding: users needed clear system feedback after each action and read permission descriptions carefully before granting access.
04
Refinement and handoff
Finalized specs across five flows and coordinated with engineering for phased breakdown. Identified papercut improvements to keep GA scope clean.
Solution
Five flows. One coherent system.

Create custom admin role. A new "Admin role" option in Roles & Permissions, separate from member roles. Admins select specific admin area permissions with descriptions to support deliberate access decisions.

Assign to a user. Regular and Auditor users can be assigned a custom admin role as a separate layer — "No access" by default, with a dropdown to assign any created role.

Roles & Permissions table. Clear visual distinction between admin and member roles via badges. Edit and delete follow the same patterns as member roles for consistency.

Safe deletion. A custom admin role can only be deleted after being unassigned from all users — preventing accidental access removal at scale.

User list filtering. Filter by custom admin role, with a truncated badge (max 150px, full name on hover) for long role names.

Figma screenshots coming soon
Outcomes
From 250 admins to 1–2.
99%
Reduction in overprivileged admins
GitLab reduced its internal count from 250 to the industry standard of 1–2.
$1M+
Security risk addressed
One of GitLab's top 5 security risks, with an estimated $3–5M exposure if left unresolved.
5
Enterprise customers unblocked
Barclays, Phreesia, Arrowstreet, NatWest, and UBS gained granular admin controls required for compliance.
Next
Passkey Authentication