Provide a configuration to disable `personal_access_token` generation over ssh

Release notes

Problem to solve

GitLab users can create new personal access tokens using ssh. For some security conscious organizations, it may not be acceptable to provision new credentials using a fixed token such as an ssh key. This feature should be disable by administrators and group owners.

https://docs.gitlab.com/ee/development/internal_api.html#get-new-personal-access-token

Intended users

• Sidney (Systems Administrator)
• Sam (Security Analyst)

User experience goal

The instance administrators should be able to disable this feature in the admin area.

For group using group managed accounts, they should be able to disable this for users in their group.

Proposal

An instance wide configuration should be added that allows an instance administrator to disable this feature.

For instances like GitLab.com, this features should available to owners of groups using SAML/group managed accounts.

Further details

Permissions and Security

Instance admins and group owners.

Documentation

This feature appears to not be documented, so documentation will need to be added for the the feature and the configuration available to administrators.

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references

added typefeature + 1 deleted label

cc @mattgonzales @jburrows001 for any additional compliance related thoughts.

@asaba Thanks for the tag! I'm not personally aware of customer demand for this (haven't yet had discussions around this), but I can appreciate how automating credential creation could be problematic.

I think you've covered the primary concern in this issue as I would see it.

@mushakov It looks like the bot auto-labeled for ~"group::access", but do you have any thoughts on this? Does it resonate with other feedback you've received?

changed title from Provide a configuration to disable ** to **Provide a configuration to disable personal_access_token` generation over ssh

Setting label(s) devopsmanage ~"group::access" sectiondev based on ~"Category:Authentication and Authorization" ~"group::access".

added devopsmanage groupauthentication and authorization [DEPRECATED] sectiondev labels

mentioned in issue gitlab-org/quality/triage-reports#662 (closed)

mentioned in issue gitlab-org/quality/triage-reports#670 (closed)

mentioned in issue gitlab-org/quality/triage-reports#703 (closed)

mentioned in issue gitlab-org/quality/triage-reports#791 (closed)

mentioned in issue gitlab-org/quality/triage-reports#875 (closed)

mentioned in issue gitlab-org/quality/triage-reports#974 (closed)

mentioned in issue gitlab-org/quality/triage-reports#1051 (closed)

mentioned in issue gitlab-org/quality/triage-reports#1105 (closed)

added Category:System Access label

added devopsgovern sectionsec labels and removed devopsmanage sectiondev labels

added groupauthentication label and removed groupauthentication and authorization [DEPRECATED] label

marked this issue as related to #369504 (closed)

added to epic &10115

You can now disable PAT creation entirely on gitlab.com or on self-managed but we do not get as explicit with the control as to state which methods of generation are allowed or not

changed milestone to %Backlog