[BE] Support standalone and/or wildcard boundaries

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Depending on the outcome of user testing, we want to support standalone and/or wildcard boundaries.

For example a granular scope with permission inheritance to all subgroups and projects might look like this:

- boundary: my-group/*
- permissions: [:create_issue, :create_epic]

And a granular scope with permissions applying to a standalone group (no inheritance) might look like this:

- boundary: my-group
- permissions: [:create_issue, :create_epic]

Then there is the question which model we should implement for permission 'merging': most specific wins (MSW) or Deny-by-default & union of permissions.

The Authz::GranularScope model should be adjusted to make these types possible and the permitted_for_boundary? method should be respect (non-)inheritance. The current implementation only supports non-inheritance.

An example of a simple inheritance (MSW model) implementation:

def self.nearest_namespace(namespace)
  namespace_ids = namespace.self_and_ancestor_ids

  where(namespace_id: namespace_ids).order(
    Arel.sql("array_position(ARRAY#{namespace_ids}::bigint[], token_permissions.namespace_id)")
  ).first
end

Edited Oct 08, 2025 by 🤖 GitLab Bot 🤖