## Context Duo for GitLab team members' personal namespace has been proposed in https://gitlab.com/gitlab-com/people-group/total-rewards/-/issues/1860 and is supported by e-group members. ## Requirements 1. Ultimate subscription (1 seat) 2. Duo Enterprise add-on (1 seat) 3. Group owned by team member's personal account that subscription is applied to ## Possible options Note: As Duo Pro is an add-on just like Duo Enterprise, it would work the same way. | Option | Details | Status | | ------ | ------- | ------ | | Duo Enterprise self-serve | Currently no way to provision unpaid subscription. Fulfillment is working on providing internal team members with production subscriptions which we should be able to reuse. | Blocked by https://gitlab.com/groups/gitlab-org/-/epics/18815 (targeted for end of Q3) | | Duo Enterprise | Can be done through .com API, similar to provisioning Ultimate. Downsides are no expiry and less tracking, but that's true of Ultimate process too. | Possible through API and admin account | | Duo Enterprise Trial | Can be self-served, but limited to trial period (30 days) | Not a long term solution | | Duo Core | Premium + Ultimate customers get Duo Core as part of the plan. | Available when turned on | | Shared namespace with Duo Enterprise | Single group with a manually create subscription. However, IT would still need to manage seat provisioning. <br> Privacy/Security concerns: difficult to ensure true data isolation for team members, which is a major concern when it's for personal projects. | Not recommended | Automated creation of group is blocked by https://gitlab.com/gitlab-org/gitlab/-/issues/560840 . However, it's not necessarily a blocker to this issue if we have team members self-serve group creation. ## Recommended implementation plan 1. Provide a method (existing Google Form, Lumos, or something else) for team members to submit their personal account username. - Note: The existing Google Form only allows a single submission, so if reusing the form, one option would be to 2. Automation process: 1. Use an admin account to impersonate the user and create a group with a standard naming, such as `<username>_ultimate_group`. 2. While *not* impersonating the user, upgrade the group to Ultimate using https://docs.gitlab.com/development/internal_api/gitlab_subscriptions/#update-a-subscription (check the existing Ultimate automation to verify the endpoint) 3. Add 1 seat Duo Enterprise using https://docs.gitlab.com/development/internal_api/gitlab_subscriptions/#create-multiple-subscription-add-on-purchases-internal 4. See https://gitlab.com/gitlab-com/Product/-/issues/14203#note_2765057689 for more details/links 3. Ensure that deprovisioning of Ultimate/Duo for the group is in place as part of offboarding. 4. Optionally, have Fulfillment engineers review the script (for reference https://gitlab.com/groups/gitlab-org/-/epics/18023#note_2769932186 ). 5. Update handbook with process: https://handbook.gitlab.com/handbook/total-rewards/incentives/#gitlab-ultimate-with-duo-enterprise 6. Announce in Slack `#whats-happening-at-gitlab` and cross-post in other relevant places. Note: In the short-term, there may be other options as outlined in [https://gitlab.com/groups/gitlab-org/-/epics/18023#note_2769932186](https://gitlab.com/groups/gitlab-org/-/epics/18023#note_2772625665)