[UX] Problem Validation: Simplify creating a token with permission templates (or other solution)

Background

Fine-grained Personal Access Tokens (PATs) provide users with granular control over permissions and resource-specific scopes. However, user research from #554883 (closed) revealed that while security personas value this precision, general developers (46% of participants) prioritize workflow efficiency and risk abandoning complex tools.

Key research findings:

  • Users struggled with navigating 300+ permission options
  • Templates, AI guidance, and search functionality were identified as essential for bridging the complexity gap
  • Users want to learn within the application rather than referencing external documentation
  • Developer experience success metric: 85% satisfaction score in post-launch feedback

Problem to solve

The current fine-grained PAT creation flow requires users to manually select from 300+ permissions across multiple resource categories. This creates friction for developers who are new to GitLab or unfamiliar with GitLab's permission model and want to quickly create tokens for common workflows (CI/CD, repository access, issue management). These developers will need guidance on which permissions are required for their specific use case to de-risk over-permissioning tokens as a safety net.

Personas:

  • Developers working on personal or team projects, need tokens for common workflows, prioritize speed and simplicity
  • DevOps/Platform Engineers who manage pipelines and automation, may benefit from templates but also need customization
  • Security-conscious users may want templates as a starting point but will customize further, might want to set organization enforced templates

How might we make it easy for users to select appropriate permissions without friction, while still maintaining the principle of least privilege?

Open questions:
  • How do templates interact with group/project scope selection?
  • Should admins be able to create custom templates for their organizations? (future)
  • How do we handle template versioning as GitLab permissions evolve?

Design proposal

Explore and validate solutions that reduce complexity while guiding users toward least-privilege token creation:

Option 1: Pre-configured permission templates
  • Provide curated templates based on common use cases (e.g., "CI/CD Pipeline", "Repository Contributor", "Issue Tracker", "Read-only Access")
  • Each template includes:
    • Clear description of what the template enables
    • Pre-selected permissions aligned to the use case
    • Ability to customize after selecting template
    • Visual indication of permission
Option 2: AI/Duo-suggested permissions
  • Analyze user's description or intended use case
  • Suggest appropriate permissions based on:
    • User's activity patterns in selected namespaces
    • Common permission combinations for similar use cases
    • Principle of least privilege recommendations
Considerations for both or either options:
  • Combine templates with customization options
  • Allow users to start from template or build from scratch
  • Provide search and filtering for advanced users

Research validation

Approach: Unmoderated usability testing and internal testing (1-2 participants).

  1. Which approach (templates, AI suggestions) provides the best balance of speed and confidence for developers?
  2. What are the most common use cases that should be covered by templates?
  3. How do users expect to customize templates without losing the benefit of guidance?
  4. Does providing templates reduce the risk of over-permissioning tokens?

Steps

  • Recommended solution approach with rationale
  • High-fidelity designs for selected approach
  • Research summary with validated solution
  • 🎉 Handoff for engineering

Related work

Edited by Ilonah Pelaez