See this list of use cases for creating permission structures using global and project roles:
Grant Group Access to a Repository Within a Project
In this example, you want to grant group A read access to a repository within a project, but not to any other artifacts on the project. This is an advanced edge case that shows how to use project roles (on either the global or project level) in combination with platform permissions.
If group A does not need to be a member of the project, you can use platform permissions to grant read permissions on the repository. This way, group A’s access to the project resources is controlled only by the platform permissions. However, in this solution, the group is not a member of the project, so the repository will be visible and accessible to the group via the All Projects view and via REST API, but not through the project view.
If the group needs to be a project member, then it must have a role with at least one action granted; however, as the group should only be given access to the one repository, it cannot be granted read access to the whole project. As a workaround, you can define a new environment in the project (e.g., NIL) for which there will be no repository assigned. Add a project role (e.g., Observer), which grants the read artifacts permission. Since there are no repositories assigned to this environment, this role will grant no effective permissions. Then, use platform permissions to grant group A read permissions on the repository.