Add an allow list to Runner Registration restriction
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Release notes
Runner Registration restriction has been enhanced to permit an "allow list" of users that can continue to register Runners using the UI or API, while all other users remain restricted. This is designed to be useful for non-Administrator Service Accounts which perform group or project actions such as registering Runners.
Problem to solve
A Mid-Market Self-Managed Customer recently reported to Support (links are internal only) some difficulties with using Service Accounts to securely perform operates such as registering Runners via the API. They found that they had enabled runner registration restriction on their instance, which prevents using the Create Runner API.
Proposal
In current form, the feature is an 'all-or-nothing' approach to restricting runner registration. In some situations, non-administrator accounts should be used to limit scope, and this is where Service Accounts can be useful. If possible, we should consider adding an "allow list" of user accounts which are exempt from the restrictive block.