Support managed group owners revoking PATs in the RevokeService
Problem to solve
The RevokeService
is a centralised tool to handle the revoking of PATs. However, this currently only supports either revoking your own tokens or others if you are an instance admin.
Intended users
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
User experience goal
N/A - This will lead to user experience goals but this issue is specifically about providing the tooling to do so.
Proposal
Update the RevokeService
to allow managed group owners the ability to revoke PATs created by users within their managed group. This will probably entail adding the :revoke_token
ability to managed group owners in a limited capacity.
Further details
This is currently blocking the implementation of a revoke button within the credentials inventory on managed groups.
Permissions and Security
This will add a new permission to the managed group owners. Care should be taken to make sure that these owners are only able to control PATs within their managed group and we don't inadvertently leak to other managed groups or all instance users.