Role-based permissions DAP - Foreground/Background execute permission check integration for foundational flows

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

This issue integrates DAP (Duo Agent Platform) role-based Execute foreground/background permission checks into built-in flows. It ensures that users can only execute built-in flows if they have the appropriate role-based permissions configured at the instance or namespace level.

Background

As part of the DAP role-based permissions epic (#19743 (closed)), we need to enforce the Execute permission across all DAP execution points. Foundational flows are one of the three main areas where users can execute DAP functionality:

• Foundational flows (this issue)
• Agents in Agentic Chat
• Custom agents and flows

Currently, the only way to execute foundational flow buttons is in the web or IDE UI. The permission attribute we will use for that will be minimum_access_level_execute_async for the background flows and minimum_access_level_execute for the foreground flow (Software Development flow).

Foundational flows

Background

• Fix pipeline with Duo
  • MrWidgetPipelineDuoAction: @placeholder
  • PipeLineHeader: @placeholder
  • PipelinesTable: @placeholder
• Convert to GitLab CI/CD
  • BlobHeader: @placeholder
• Generate MR with Duo
  • WorkItemDetail: Research in progress by @lwanko

Foreground

• Software Development Flow: Research done here by @lwanko

Requirements

Permission Check Integration

• Identify all entry points where built-in flows are executed
• Ensure permission checks occur before flow execution
• Handle permission denial gracefully with appropriate error messages
• Consider service account permission intersections

Error Handling

• Return clear error messages when permission is denied
• Log permission check failures for audit purposes
• Provide appropriate HTTP status codes (403 Forbidden)
• Include information about required role in error messages

Technical Implementation

Locations to Update

Based on the codebase analysis from issue #578370 (closed), identify and update all locations where built-in flows are executed. This may include:

• Flow execution controllers
• GraphQL mutations for flow execution
• API endpoints for built-in flows
• Background jobs that execute flow

Acceptance Criteria

• All built-in flow execution points have permission checks
• Users without Execute permission receive clear error messages
• Service account permission intersections are properly enforced
• Permission checks are performant (use caching from DapPermissionService)
• Integration tests verify permission enforcement
• Tests cover both allowed and denied scenarios
• Audit logging captures permission check results

Testing Scenarios

• User with developer+ role can execute background foundational flows
• User with guest+ role can execute foreground foundational flows
• Custom permission configuration is respected
• Service account permissions properly limit flow capabilities
• Instance-level and namespace-level permissions work correctly

Related Issues

• Parent Epic: #19743 (closed) - [Backend] Role-based permissions controls for DAP
• Depends on: #578556 (closed) - Role-based permissions DAP - Execute permission
• Related: #578554 - Execute permission for agents in Agentic chat
• Related: #578555 - Execute permission for custom flows
• Related: #578563 (closed) - Execute permission for custom agents

Notes

This is one of the critical integration points for DAP permissions. Built-in flows are commonly used, so permission checks must be performant and user-friendly.