- Source: GL_ProjectRole
- Destination: GL_Project
The non-traversable GL_ManageDeployKeys edge indicates that a role can manage deploy keys — SSH public keys that grant read (or read-write) access to the project's repository without requiring a user account. Maintainer role and above typically have this permission.
Although non-traversable, this edge is significant because adding a deploy key gives persistent SSH-based repository access that survives user account changes, role revocations, and password resets. An attacker who adds their own deploy key can continue cloning the repository indefinitely. With write-enabled deploy keys, the attacker can also push code changes.
graph LR
maintRole("fa:fa-user-tie GL_ProjectRole myproject/Maintainer")
project("fa:fa-diagram-project GL_Project myorg/backend")
maintRole -.->|GL_ManageDeployKeys| project