Allow Service Accounts in .com Trials

Duplicate of https://gitlab.com/gitlab-org/gitlab/-/issues/573402+

Proposal

Service Accounts are the chosen medium through which the Duo Agent Platform's agents are enabled. Therefore, we must enable them so that self-service trials can be leveraged.

Based on my analysis of the code that prevents Service Accounts from being used in GitLab.com trials, here's what I would include in a Merge Request description to remove this restriction:

Summary

Remove the trial restriction for Service Accounts on GitLab.com to allow users to create and manage service accounts during trial periods.

What should the corresponding MR do?

  • Removes the feature_available_non_trial? check for service accounts in group policy
  • Updates service account availability condition to use standard feature_available? method
  • Allows service account creation, administration, and management during GitLab.com trials
  • Maintains existing restrictions for Self-Managed and GitLab Dedicated (no change)

Changes to be made

1. Policy Changes (ee/app/policies/ee/group_policy.rb)

  • Before: @subject.feature_available_non_trial?(:service_accounts)
  • After: @subject.feature_available?(:service_accounts)

2. Test Updates

  • Update existing tests that verify trial restrictions are enforced
  • Add new tests to verify service accounts work during trials
  • Update policy specs to reflect the new behavior

3. Documentation Updates (doc/user/profile/service_accounts.md)

  • Before: "Cannot be used with trial versions of GitLab.com"
  • After: Remove this restriction from the documentation
  • Keep existing note about Self-Managed and Dedicated trial support

Why are we making this change?

  • Improves trial user experience by providing access to service account functionality
  • Reduces friction for users evaluating GitLab's automation capabilities
  • Aligns with product strategy to showcase more features during trials
  • Removes an artificial limitation that may prevent trial-to-paid conversions

Testing Strategy

  • Verify service accounts can be created in trial namespaces
  • Verify service accounts can be managed (edit, delete) in trial namespaces
  • Verify service account tokens work correctly in trial namespaces
  • Verify existing non-trial functionality remains unchanged
  • Verify Self-Managed and Dedicated trial behavior is unchanged

Risks and Considerations

  • Low Risk: Service accounts are already available in Self-Managed trials
  • Monitoring: Track service account creation in trials for potential abuse
  • Rollback Plan: Can easily revert by restoring feature_available_non_trial? check

Files Changed

  • ee/app/policies/ee/group_policy.rb - Remove trial restriction
  • ee/spec/policies/group_policy_spec.rb - Update policy tests
  • doc/user/profile/service_accounts.md - Update documentation
  • Additional test files as needed for comprehensive coverage

Related Issues

  • Closes #[issue-number] (if applicable)
  • Related to service account feature parity initiatives

Checklist

  • Code changes implemented
  • Tests updated and passing
  • Documentation updated
  • Security review completed (if needed)
  • Product team approval obtained
  • Ready for deployment to GitLab.com

Note: This change only affects GitLab.com trial behavior. Self-Managed and GitLab Dedicated instances already allow service accounts during trials and will continue to do so unchanged.

Edited by Tim Poffenbarger