Role-based permissions DAP - Manage permission check integration for custom agents

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

This issue integrates DAP (Duo Agent Platform) role-based Manage permission checks into custom agent management operations. It ensures that only users with appropriate permissions (maintainer+ by default) can create, duplicate, edit, enable, and delete custom agents.

Background

As part of the DAP role-based permissions epic (#19743 (closed)), we need to enforce the Manage permission across all DAP administrative operations. Custom agents are a core DAP resource that requires proper access controls for management operations.

The Manage permission controls:

  • Create: Creating new custom agents
  • Duplicate: Duplicating existing custom agents
  • Edit: Modifying custom agent configurations
  • Enable: Enabling or disabling custom agents
  • Delete: Removing custom agents

The Manage permission is limited to maintainer+ roles by design.

Requirements

Permission Check Integration

  • Identify all entry points for custom agent management operations
  • Integrate DapPermissionService.can_user_perform_action? checks for :manage action
  • Ensure permission checks occur before any management operation
  • Handle permission denial gracefully with appropriate error messages
  • Enforce maintainer+ minimum role requirement

Management Operations to Protect

Create Operations

  • Creating new custom agents via UI
  • Creating custom agents via API/GraphQL
  • Importing custom agents
  • Cloning/duplicating custom agents

Edit Operations

  • Updating agent configuration
  • Modifying agent settings
  • Changing agent permissions
  • Updating agent metadata

Enable/Disable Operations

  • Enabling custom agents
  • Disabling custom agents
  • Toggling agent availability

Delete Operations

  • Deleting custom agents
  • Bulk deletion operations
  • Archiving agents (if applicable)

Technical Implementation

Locations to Update

Based on the codebase analysis from issue #578370 (closed), identify and update all locations where custom agents are managed. This may include:

  • Agent management controllers
  • GraphQL mutations for agent CRUD operations
  • API endpoints for agent management
  • Admin interfaces for agent configuration
  • Bulk operation handlers

Permission Check Pattern

# Before any manage operation on custom agent
unless DapPermissionService.can_user_perform_action?(current_user, namespace, :manage)
  return error_response('Insufficient permissions to manage custom agents. Maintainer role or higher required.')
end

# Perform management operation
perform_agent_management_operation(agent, params)

Acceptance Criteria

  • All custom agent management operations have permission checks
  • Users without Manage permission receive clear error messages
  • Error messages indicate maintainer+ role requirement
  • Permission checks are performant (use caching from DapPermissionService)
  • UI elements for management are hidden/disabled for users without permission
  • Integration tests verify permission enforcement
  • Tests cover both allowed and denied scenarios
  • Audit logging captures management operations and permission checks

Testing Scenarios

  • User with maintainer role can manage custom agents (default config)
  • User with owner role can manage custom agents (default config)
  • User with developer role cannot manage custom agents
  • User with reporter role cannot manage custom agents
  • Custom permission configuration is respected (maintainer+ only)
  • Instance-level and namespace-level permissions work correctly
  • All CRUD operations (create, read, update, delete) respect permissions
  • Bulk operations respect permissions
  • UI appropriately reflects permission state

User Experience

  • Management UI elements are hidden for users without permission
  • Clear messaging when users attempt unauthorized operations
  • Guidance on how to request access or who can perform operations
  • Consistent permission enforcement across UI, API, and GraphQL

Related Issues

  • Parent Epic: #19743 (closed) - [Backend] Role-based permissions controls for DAP
  • Depends on: #578557 - Role-based permissions DAP - Manage permission
  • Related: #578560 - Manage permission for custom flows
  • Related: #578556 (closed) - Run permission service

Notes

The Manage permission for custom agents is a critical security control. Only maintainer+ users should be able to create or modify agents, as these can execute code and access resources within projects.

Edited by 🤖 GitLab Bot 🤖