Create service account user type and associated scopes/policies
This issue encompasses many of the backend changes necessary for Service Accounts MVC.
service_account user type and update/create associated scopes. This issue will also entail policy updates for
:log_in permission. Ensure users don't take billable seat at instance-level.
High-level thoughts on code changes needed:
- Define a new
- We will also need to define new scopes and update existing scopes to ensure this new user type isn't included where not desired.
- Update global policy to indicate whether
- Do we want these accounts to be able to sign-in? I don't think so, but if yes, we probably have other things we need to validate. What implications does allowing these users to sign-in have?
- The question of sign-in also has implications to how tokens are then created for these service accounts. Either we need to allow creating the tokens similar to how we manage project/group access tokens now (don't need to sign-in to the user to do so) or just allow the account to have someone sign-in and create/manage tokens.
- To delineate between instance-level service accounts and group accounts, we can probably re-use the
provisioned_by_groupattribute. This would mean if a service account is instance-level they would hav a
provisioned_by_groupwhile one created by a group would have that value populated.
- I believe we will only allow service accounts to be created and tied to top-level groups, and not subgroups? The accounts can still be granted specific privileges at subgroup/project level but cannot be created there, presumably.
- Ensure the user doesn't take a billable seat.