Create MVC for fine grained access controls of tokens

changed milestone to %17.0

added teamProduct Security Engineering workflowin dev labels

set weight to 3

mentioned in issue #368904

@fvpotvin, Please add a group or category label to identify issue ownership.

You can refer to the Features by Group handbook page for guidance.

If you are unsure about the correct group, please do not leave the issue without a group label, and refer to GitLab's shared responsibility functionality guidelines for more information on how to triage this kind of issue.

This message was generated automatically. You're welcome to improve it.

This issue was automatically tagged with the label groupcompliance by TanukiStan, a machine learning classification model, with a probability of 0.32.

If this label is incorrect, please tag this issue with the correct group label as well as automation:ml wrong to help TanukiStan learn from its mistakes.

If you are unsure about the correct group, please do not leave the issue without a group label. Please refer to GitLab's shared responsibility functionality guidelines for more information on how to triage this kind of issues.

Authors who do not have permission to update labels can use the @gitlab-bot label ~"group::<correct group name>" command, or leave the issue to be triaged by group leaders initially assigned by TanukiStan.

This message was generated automatically. You're welcome to improve it.

added automation:ml groupcompliance labels

added devopsgovern sectionsec labels

mentioned in issue gitlab-org/quality/triage-reports#17349 (closed)

Current state of the MR:

It is behind a feature flag.

I do think the UX part will need to be revisited, as I'm not sure a big text box is the best solution. I'll look at adding at least a tooltip for this MVC.

I have no idea how to properly design this though, and what a good way for GitLab specifically could look like. Maybe at least splitting the text box in two, one for the HTTP verb and one for the path. And maybe we could have some sort of "+" button for each line of regex, and make this an array?

I know we touched on maybe having someone from UX help us chime in at some point maybe @ankelly, is this something feasible? Should I just let it be as is for this MVC and we iterate on it in future milestones?

Thanks @fvpotvin for the update and for all the work you're putting in here!

I have no idea how to properly design this though, and what a good way for GitLab specifically could look like. Maybe at least splitting the text box in two, one for the HTTP verb and one for the path. And maybe we could have some sort of "+" button for each line of regex, and make this an array?

These are great ideas! When we get a chance, we'll ask a UX person to dig into this and come up with a great user experience. It's possible in the near future that we can get some UX team members to spend some cycles thinking through the best way to approach it, but I don't have an exact timeline on that yet. I wouldn't want us to hold up the MR or disrupt other UX work by asking them to look at it now.

Should I just let it be as is for this MVC and we iterate on it in future milestones?

Yes, I think so. I know that it can be tough to feel "done" when we know there's still UX work needed. Given that this is behind a feature flag, I'd advocate that we go ahead and try to get it merged in as an MVC and get it iterated on in the future.

@fvpotvin one thing we should consider -- is there anything we can add (either as part of the MVC MR, or immediately after as a follow-up) to make it clear how to use this functionality? I don't know if it would be appropriate to add it to the documentation (with a or something to indicate its behind a feature flag and very much WIP) or if we should just have an internally recorded video or something. Totally okay to make that a followup issue and separate it from the MR, since that's expanded scope from what we originally came up with for this issue.