Restrict instance runner access enablement to top-level group owner only
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
Provide option to restrict enablement of instance runners to top-level group owners only.
The current model for enabling access to instance runners allows any owner of a subgroup to enable instance runners for their group/subgroups/projects if the hierarchy permits, this may not be sufficiently restrictive in some scenarios and established enterprise structures.
Take the enterprise customer scenario below:
- Enterprise (Group Level): manages top-level settings and security, having precedence over subgroup settings.
- Subgroup (Product/Team Level): Teams like Marketing Tech, with their "owner" roles, are subordinate to the enterprise's overarching governance.
Despite the logical hierarchy where enterprise settings should dictate the accessibility of instance runners across the platform, the ability for subgroup "owners" to override these settings poses a significant challenge for us. Our main concern revolves around the efficient and exclusive allocation of SaaS runner resources to a specific team, without the risk of unauthorized access and potential overage charges.
We propose a feature request to enhance permission granularity, enabling us to designate instance runner access to a chosen subgroup without granting such capabilities universally to all subgroup "owners." This targeted permission strategy is crucial for us, given our reliance on both self-hosted and SaaS runners, and the unique advantages the latter provides for specific operational needs.
To summarize, we seek a feature that allows enterprise-level administrators to:
- Allocate instance runner usage exclusively to selected subgroups, bypassing the current all-or-nothing override capability.
- Maintain strict control over resource distribution to prevent inadvertent overage, while still leveraging the unique features of SaaS runners for chosen projects.