Role-based permissions DAP - API (controller/GraphQL) extension

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

This issue extends the existing GitLab Duo settings API endpoints to support DAP (Duo Agent Platform) role-based permissions configuration. It provides the backend API infrastructure for administrators to configure which roles can perform DAP actions.

Background

As part of the DAP role-based permissions epic (#19743 (closed)), we need to extend existing AJAX and HTTP POST requests that update GitLab Duo settings. These settings exist on two pages that need to be extended:

• Self-Managed: /admin/gitlab_duo/configuration
• GitLab.com: /groups/:group/-/settings/gitlab_duo/configuration

Requirements

We need to find out, how the AI settings and the namespace settings table currently get updated. It could be via a classic Rails controller or via GraphQL. Depending on the current state the following possible changes apply:

API Endpoints

Read Permissions API

• Instance-level: GET /api/v4/admin/ai_settings
• Group-level: GET /api/v4/groups/:id/namespace_settings
• Return all permission configurations with their allowed roles

Update Permissions API

• Instance-level: PUT /api/v4/admin/ai_settings
• Group-level: PUT /api/v4/groups/:id/namespace_settings
• Accept permission configuration changes
• Validate role assignments
• Authorization: only admins/owners can modify

Model Integration

• Expose DAP permission attributes through AiSettings model
• Expose DAP permission attributes through NamespaceSettings model
• Use existing update mechanisms for both models
• Ensure proper serialization of permission data

GraphQL Extensions

• Add DAP permission fields to existing Duo settings types
• Implement mutations for updating DAP permissions
• Add proper authorization checks
• Support both instance and namespace contexts

API Specification

Validation Rules

• Validate role names against allowed enum values
• Ensure manage permission is limited to owner+ or maintainer+ roles (TBD)
• Prevent invalid permission configurations
• Return appropriate error messages for validation failures

Technical Implementation

• Extend existing Duo settings controllers or GraphQL endpoints
• Add DAP permission parameters to strong parameters
• Implement permission validation logic
• Add proper error handling and responses
• Update API documentation

Acceptance Criteria

• Instance-level DAP permissions can be read and updated via API (controller or GraphQL)
• Group-level DAP permissions can be read and updated via API (controller or GraphQL)
• GraphQL mutations or controllers support DAP permission updates
• Proper authorization prevents unauthorized access
• Validation ensures only valid role configurations
• API (controller or GraphQL) documentation is updated with new endpoints
• Integration tests cover all API (controller or GraphQL) endpoints

Related Issues

• Parent Epic: #19743 (closed) - [Backend] Role-based permissions controls for DAP
• Depends on: #578551 - Role-based permissions DAP - Model implementation
• Related: #19742 (closed) - [Frontend] Role-based permissions controls DAP

Notes

This API extension will be consumed by the frontend epic #19742 (closed) to provide the user interface for configuring DAP permissions.