Role-based permissions DAP - Background execute permission check integration for custom flows

Summary

This issue integrates DAP (Duo Agent Platform) role-based Execute background permission checks into custom flows. It ensures that users can only execute custom flows if they have the appropriate role-based permissions configured at the instance or namespace level.

Background

As part of the DAP role-based permissions epic (#19743 (closed)), we need to enforce the Execute permission across all DAP execution points. Custom flows are one of the three main areas where users can execute DAP functionality:

  • Built-in flows
  • Agentic Chat in Web UI and IDE
  • Custom flows (this issue)

Currently, the only way to execute custom flows is via flow triggers. The permission attribute we will use for that will be minimum_access_level_execute_async, as custom flows are running currently in the background.

Requirements

Permission Check Integration

  • Identify all entry points where custom flows are executed
  • Ensure permission checks occur before flow execution
  • Handle permission denial gracefully with appropriate error messages
  • Consider service account permission intersections
  • Support both manual and automated flow execution

Technical Implementation

Locations to Update

Based on the codebase analysis from issue #578370 (closed), identify and update all locations where custom flows are executed. This may include:

  • Flow execution controllers
  • GraphQL mutations for custom flow execution
  • API endpoints for flow triggers
  • Webhook handlers for flow automation
  • Background jobs that execute flows
  • CI/CD pipeline integration

Acceptance Criteria

  • All custom flow execution points have permission checks
  • Users without Execute permission receive clear error messages
  • Service account permission intersections are properly enforced
  • Permission checks are performant (use caching from DapPermissionService)
  • Both manual and automated flow executions are protected
  • Integration tests verify permission enforcement
  • Tests cover both allowed and denied scenarios
  • Audit logging captures permission check results

Testing Scenarios

  • User with developer+ role can execute custom flows
  • User with reporter role cannot execute custom flows (default config)
  • Custom permission configuration is respected
  • Service account permissions properly limit flow capabilities
  • Instance-level and namespace-level permissions work correctly
  • Flow execution via different triggers (manual, webhook, CI/CD) respects permissions
  • Permission checks work for flows in different project contexts

Performance Considerations

Custom flows may be executed frequently, especially in automated scenarios:

  • Optimize permission checks for high-frequency execution
  • Consider batch permission checks for multiple flows
  • Monitor performance impact on flow execution time

Related Issues

  • Parent Epic: #19743 (closed) - [Backend] Role-based permissions controls for DAP
  • Depends on: #578556 (closed) - Role-based permissions DAP - Run permission
  • Related: #578553 - Run permission for built-in flows
  • Related: #578554 - Run permission for agents in Agentic chat
  • Related: #578563 (closed) - Run permission for custom agents
  • Related: #19478 (closed) - Service account implementation

Notes

Custom flows are a core DAP feature with multiple execution contexts. This implementation must be robust and handle all execution scenarios while maintaining good performance.

Edited by Lukas Wanko