- Source: GL_PersonalAccessToken
- Destination: GL_User
The traversable GL_HasPrivilegeOf edge records that a personal access token (GL_PersonalAccessToken) carries the same group and project memberships as its owning user. A PAT authenticates as the user and, within its declared API scopes, can perform any action the user is authorized to perform.
This edge is traversable and is critical for understanding the impact of a stolen or discovered PAT: an attacker who obtains the token gains all the user's effective access across every group and project the user is a member of, without needing the user's password or 2FA. The actual permissions are found by traversing from the user through the RBAC graph.
Combined with GL_IsToken, this edge creates the full path from a CI/CD variable or secret scan finding to the effective access an attacker gains.
graph LR
pvar("fa:fa-sliders GL_ProjectVariable DEPLOY_TOKEN")
pat("fa:fa-key GL_PersonalAccessToken alice-api")
user("fa:fa-user GL_User alice")
ownerRole("fa:fa-user-tie GL_GroupRole myorg/Owner")
pvar -->|GL_IsToken| pat
pat -->|GL_HasPrivilegeOf| user
user -->|GL_HasRole| ownerRole