Discussion: Clarify enforcement of granular PAT for the top level group

Background

In the last discussion, there were open questions on how the enforcement for granular PATs would operate for top-level groups.

Concern

If you enforce fine-grained PATs for a top level group, you immediately block access on existing legacy PATs. In reality - you need to ensure all users in your organization working with any of those groups and projects have switched to the new model and updated the token value. This transition could be very disruptive as you have to update all tokens that are used in your automation and integrations.

Other proposals

To increase likelihood of adoption and provide a smooth transition, alternatives have been proposed:

1. Enforce granular PATs after a date
2. Enforce only granular PATs using Enterprise Users
3. Enforce fine-grained tokens for tokens created after [DATE] (Grandfather old tokens in until they expire)
4. ???

Considerations

• Instance or top level configuration. User can be part of many top level groups.

Next steps

• Once a solution is defined that meets internal and customer expectations, merge decision into design document.