Clarify the scope of Deploy Key user policies
Problem to solve
There's some confusion regarding the policies (roles) that can be assigned to users when it comes to update Deploy Key attributes (eg. title, can_push
attribute). Also, there seems there is no SSOT section in the docs regarding this topic.
-
update_deploy_key
: to have this policy, a user must either be an admin or have access to that deploy key (even if they've not created it) via a project which this user is a maintainer (ie. they have access to the "Deploy Keys" section). With this policy, a deploy key title can be updated and whether the key has write access to the project. -
update_deploy_keys_project
: to have this policy applied to a user for a given project, the deploy key must be a public (instance-wide) deploy key and the user must be an admin (maintainer) of this project. The policy allow users to update whether the key has write access to the project.
When a user only has the update_deploy_keys_project
, they cannot update the title
of the deploy key but can update whether this key can be used to push.
In a nutshell, it's not clear what the responsibility of each of these roles is. We need someone to define clearly these rules, if we really need two roles to begin with, and what their scope is.
Once defined, we'll need to update the documentation accordingly.