Role-based permissions DAP - Manage permission check integration for custom agents

Summary

This issue integrates DAP (Duo Agent Platform) role-based Manage permission checks into custom agent management operations. It ensures that only users with appropriate permissions (maintainer+ by default) can create, duplicate, edit, enable, and delete custom agents.

Background

As part of the DAP role-based permissions epic (#19743 (closed)), we need to enforce the Manage permission across all DAP administrative operations. Custom agents are a core DAP resource that requires proper access controls for management operations.

The Manage permission controls:

  • Create: Creating new custom agents
  • Duplicate: Duplicating existing custom agents
  • Edit: Modifying custom agent configurations
  • Enable: Enabling or disabling custom agents
  • Delete: Removing custom agents

The Manage permission is limited to maintainer+ roles by design.

Requirements

Permission Check Integration

  • Identify all entry points for custom agent management operations
  • Integrate DapPermissionService.can_user_perform_action? checks for :manage action
  • Ensure permission checks occur before any management operation
  • Handle permission denial gracefully with appropriate error messages
  • Enforce maintainer+ minimum role requirement

Management Operations to Protect

Create Operations

  • Creating new custom agents via UI
  • Creating custom agents via API/GraphQL
  • Importing custom agents
  • Cloning/duplicating custom agents

Edit Operations

  • Updating agent configuration
  • Modifying agent settings
  • Changing agent permissions
  • Updating agent metadata

Enable/Disable Operations

  • Enabling custom agents
  • Disabling custom agents
  • Toggling agent availability

Delete Operations

  • Deleting custom agents
  • Bulk deletion operations
  • Archiving agents (if applicable)

Technical Implementation

Locations to Update

Based on the codebase analysis from issue #578370 (closed), identify and update all locations where custom agents are managed. This may include:

  • Agent management controllers
  • GraphQL mutations for agent CRUD operations
  • API endpoints for agent management
  • Admin interfaces for agent configuration
  • Bulk operation handlers

Permission Check Pattern

# Before any manage operation on custom agent
unless DapPermissionService.can_user_perform_action?(current_user, namespace, :manage)
  return error_response('Insufficient permissions to manage custom agents. Maintainer role or higher required.')
end

# Perform management operation
perform_agent_management_operation(agent, params)

Acceptance Criteria

  • All custom agent management operations have permission checks
  • Users without Manage permission receive clear error messages
  • Error messages indicate maintainer+ role requirement
  • Permission checks are performant (use caching from DapPermissionService)
  • UI elements for management are hidden/disabled for users without permission
  • Integration tests verify permission enforcement
  • Tests cover both allowed and denied scenarios
  • Audit logging captures management operations and permission checks

Testing Scenarios

  • User with maintainer role can manage custom agents (default config)
  • User with owner role can manage custom agents (default config)
  • User with developer role cannot manage custom agents
  • User with reporter role cannot manage custom agents
  • Custom permission configuration is respected (maintainer+ only)
  • Instance-level and namespace-level permissions work correctly
  • All CRUD operations (create, read, update, delete) respect permissions
  • Bulk operations respect permissions
  • UI appropriately reflects permission state

User Experience

  • Management UI elements are hidden for users without permission
  • Clear messaging when users attempt unauthorized operations
  • Guidance on how to request access or who can perform operations
  • Consistent permission enforcement across UI, API, and GraphQL

Related Issues

  • Parent Epic: #19743 (closed) - [Backend] Role-based permissions controls for DAP
  • Depends on: #578557 - Role-based permissions DAP - Manage permission
  • Related: #578560 - Manage permission for custom flows
  • Related: #578556 (closed) - Run permission service

Notes

The Manage permission for custom agents is a critical security control. Only maintainer+ users should be able to create or modify agents, as these can execute code and access resources within projects.

Edited by 🤖 GitLab Bot 🤖