Skip to content

Add GitLab Support Token Revocation Workflow

Ben King requested to merge benjaminking-revoke-workflow into master

Why is this change being made?

As encountered in a recent discussion and ticket (internal links only), there is currently no defined workflow in the Support Handbook for actioning a request to revoke a personal access token on a GitLab.com user's behalf. While we encourage self-service as much as possible, there may be situations where GitLab Support Engineers have to provide assistance to revoke a potentially compromised token as quickly as possible, including when a token does not have sufficient scope to self-revoke.

This MR adds a token revocation workflow that:

  • Provides an overview on when this workflow should be used
  • Informs team members to not use this workflow if GitLab team member tokens are potentially exposed
  • Instructs on how to guide GitLab.com users to attempt to self-revoke first, before we initiate further work to revoke on their behalf.
  • Guides how to identify the matching token ID and name when only the token secret is known, and how a GitLab team member can revoke it or instruct the GitLab.com user to revoke.

Author Checklist

  • Provided a concise title for this Merge Request (MR)
  • Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
    • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added.
  • Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI)
    • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the Maintained by section on the page being edited
    • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
  • If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR
    • If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.

Merge request reports