Setting to allow sub-group owners to create Service Accounts on Self-Managed

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Background

In #468806 (closed) we are introducing the capability to create service accounts at top level groups, however the service accounts capability initially launched with an undocumented capability of creating service accounts at all other group levels.

Customer Use Case

• Why interested: Customer is a software factory and everything in their instance sits under a single top level group with only the platform team allowed access to this group
• Problem they are trying to solve: Each sub-group is a different company and has their own respective owners/C-suite level executives, tech teams etc. We have essentially removed any ability to scope service accounts to their own individual companies and they have to engage the platform team everytime they need a service account created which is unsustainable
• Current solution for this problem: N/A
• Impact to the customer of not having this: Owners of their own companies would not be able to direct their own SREs/Dev Leads to facilitate service accounts and would now need to heavily rely on the small platform team, we are talking about a ratio of 50+ companies (Each potentially having a few hundred users) to 1 platform team

Proposal

Create an admin-only setting that would allow Group Owners to create service accounts. This would be disabled by default. This only shows up if it is a self-managed installation, and therefore able to be checked.