Make it possible to disable Personal Access Tokens (PATs) on a SaaS namespace level
Problem
Personal Access Tokens (PATs) bypass 2FA/MFA settings. We should provide an option to disable the use of such tokens to enable security-conscious administrators to prohibit this bypass.
Access tokens are not required to provide a second factor for authentication because they are API-based. Tokens generated before 2FA is enforced remain valid.
See https://gitlab.com/gitlab-org/gitlab/-/issues/368927#note_1046819362 (confidential issue) for discussion of how this relates to federal compliance requirements.
Proposal
Provide a file-, UI-, or feature flag-based option to disable creation of Personal Access Tokens for 'enterprise users' (users with enterprise_group_id
)
Keep service accounts available even when PATs are disabled.
Edited by Bogdan Denkovych