- Source: GL_ProjectRole
- Destination: GL_Project
The non-traversable GL_ManageProjectAccessTokens edge indicates that a role can create and revoke project access tokens. Maintainer role and above typically have this permission.
Although non-traversable, this edge is significant because creating a new project access token with Maintainer or Owner scope generates a long-lived API credential for the project. An attacker with this permission can mint a new token to maintain persistent access even after their direct user membership is revoked. Combined with GL_HasRole on the resulting GL_AccessToken node, the created token grants full project access at the specified level.
graph LR
maintRole("fa:fa-user-tie GL_ProjectRole myproject/Maintainer")
project("fa:fa-diagram-project GL_Project myorg/backend")
newToken("fa:fa-key GL_AccessToken backdoor-token")
maintRole -.->|GL_ManageProjectAccessTokens| project
project -.->|GL_HasToken| newToken