Permission: Disable 2FA to reset for user

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Proposal

Add "Disable 2FA to reset for user" as a new granular permission option in GitLab's Custom Admin Role system. This will allow administrators to grant specific users or roles the ability to disable two-factor authentication for other users without requiring full admin privileges.

Currently, disabling 2FA for users is typically tied to full admin privileges, but having it as a separate granular permission would enable:

  • Delegating 2FA reset capabilities to support teams without granting full admin access
  • Better audit tracking of which roles/users can disable 2FA for others
  • More flexible user management workflows for large organizations
  • Improved security compliance by limiting who can perform sensitive 2FA operations

Technical Details:

  • Add new permission flag disable_2fa_for_users to the Custom Admin Role permissions schema
  • Update admin user management UI to include this new permission option
  • Modify 2FA disable endpoints to check for this specific permission
  • Add appropriate audit logging for this permission usage
  • Ensure proper authorization checks across all 2FA disable touchpoints

Success Metrics:

  • Successful implementation of the permission flag in Custom Admin Role system
  • Ability to assign/revoke this permission independently from other admin permissions
  • Proper enforcement of the permission across all 2FA disable functionality
  • Audit logs correctly tracking usage of this permission
  • Integration with existing Custom Admin Role UI and API

Related Epic: This issue is part of the Custom Admin Role - Beta epic (#15956 (closed)) which aims to provide granular admin permissions for better organizational control and compliance.

Prerequisites:

  • Custom Admin Role - Beta feature must be available
  • User must be on GitLab Ultimate plan
  • Feature flag for Custom Admin Role must be enabled

Description was generated based on Custom Admin Role - Beta epic requirements

Edited by 🤖 GitLab Bot 🤖