Role-based permissions DAP - Manage permission check integration for custom flows

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

This issue integrates DAP (Duo Agent Platform) role-based Manage permission checks into custom flow management operations. It ensures that only users with appropriate permissions (maintainer+ by default) can create, duplicate, edit, enable, and delete custom flows.

Background

As part of the DAP role-based permissions epic (#19743 (closed)), we need to enforce the Manage permission across all DAP administrative operations. Custom flows are a core DAP resource that requires proper access controls for management operations.

The Manage permission controls:

  • Create: Creating new custom flows
  • Duplicate: Duplicating existing custom flows
  • Edit: Modifying custom flow configurations
  • Enable: Enabling or disabling custom flows
  • Delete: Removing custom flows

The Manage permission is limited to maintainer+ roles by design. Flows can only be added to a project by a maintainer+.

Requirements

Permission Check Integration

  • Identify all entry points for custom flow management operations
  • Integrate DapPermissionService.can_user_perform_action? checks for :manage action
  • Ensure permission checks occur before any management operation
  • Handle permission denial gracefully with appropriate error messages
  • Enforce maintainer+ minimum role requirement

Management Operations to Protect

Create Operations

  • Creating new custom flows via UI
  • Creating custom flows via API/GraphQL
  • Importing custom flows
  • Cloning/duplicating custom flows

Edit Operations

  • Updating flow configuration
  • Modifying flow steps and logic
  • Changing flow permissions
  • Updating flow metadata
  • Configuring flow triggers

Enable/Disable Operations

  • Enabling custom flows
  • Disabling custom flows
  • Toggling flow availability

Delete Operations

  • Deleting custom flows
  • Bulk deletion operations
  • Archiving flows (if applicable)

Service Account Considerations

Each flow has a service account assigned (see epic #19478 (closed)). Management operations should consider:

  • Service account can only be added by an owner+ to a top-level namespace
  • Flow can only be added to a project by a maintainer+
  • Changing flow service account requires appropriate permissions

Technical Implementation

Locations to Update

Based on the codebase analysis from issue #578370 (closed), identify and update all locations where custom flows are managed. This may include:

  • Flow management controllers
  • GraphQL mutations for flow CRUD operations
  • API endpoints for flow management
  • Admin interfaces for flow configuration
  • Bulk operation handlers
  • Flow import/export functionality

Permission Check Pattern

# Before any manage operation on custom flow
unless DapPermissionService.can_user_perform_action?(current_user, namespace, :manage)
  return error_response('Insufficient permissions to manage custom flows. Maintainer role or higher required.')
end

# Perform management operation
perform_flow_management_operation(flow, params)

Acceptance Criteria

  • All custom flow management operations have permission checks
  • Users without Manage permission receive clear error messages
  • Error messages indicate maintainer+ role requirement
  • Permission checks are performant (use caching from DapPermissionService)
  • UI elements for management are hidden/disabled for users without permission
  • Integration tests verify permission enforcement
  • Tests cover both allowed and denied scenarios
  • Audit logging captures management operations and permission checks

Testing Scenarios

  • User with maintainer role can manage custom flows (default config)
  • User with owner role can manage custom flows (default config)
  • User with developer role cannot manage custom flows
  • User with reporter role cannot manage custom flows
  • Custom permission configuration is respected (maintainer+ only)
  • Instance-level and namespace-level permissions work correctly
  • All CRUD operations (create, read, update, delete) respect permissions
  • Bulk operations respect permissions
  • UI appropriately reflects permission state
  • Flow can only be added to project by maintainer+

User Experience

  • Management UI elements are hidden for users without permission
  • Clear messaging when users attempt unauthorized operations
  • Guidance on how to request access or who can perform operations
  • Consistent permission enforcement across UI, API, and GraphQL

Related Issues

  • Parent Epic: #19743 (closed) - [Backend] Role-based permissions controls for DAP
  • Depends on: #578557 - Role-based permissions DAP - Manage permission
  • Related: #578558 - Manage permission for custom agents
  • Related: #578556 (closed) - Run permission service
  • Related: #19478 (closed) - Service account implementation

Notes

The Manage permission for custom flows is a critical security control. Only maintainer+ users should be able to create or modify flows, as these can execute code and access resources within projects. The restriction that flows can only be added to a project by maintainer+ is an important security boundary.

Edited by 🤖 GitLab Bot 🤖