Role-based permissions DAP - Custom roles support

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

This issue tracks support for custom roles in the DAP (Duo Agent Platform) role-based permissions system. We will check the base role of a custom role to determine whether a user is allowed to execute a specific action.

Background

Large enterprises are leveraging custom roles for more granular control. For example, they may want to:

• Create a custom role called "Specialist" and grant only those users the ability to the already existing custom permissions.
• Those users should still be considered based on the base role of their custom role.

Current Implementation

The current "minimum role" approach allows admins to configure which minimum role gets specific permissions via the GitLab Duo Settings page. This works well for standard roles, but doesn't support custom roles.

Proposed Solution

Introduce support for custom roles for the role-based permissions for DAP. This excludes adding additional custom permissions to custom roles.

How It Would Work

1. (Optional) Admin configures minimum roles via GitLab Duo Settings page (existing functionality)
   • Sets or unsets minimum role requirements (e.g., Developer+ for Run, Maintainer+ for Manage)
2. Admin creates custom roles via the Custom Roles configuration page.
   • Creates custom role (e.g., "Specialist")
   • Assigns a base role Developer to the custom role
3. Admin assigns users to custom roles
   • Users with custom roles get the DAP permissions based on the base role.
   • This works alongside the usual role concept.

Considerations

Ultimate-Only Feature

• Custom roles are only available on the Ultimate tier
• Premium customers will not use Custom roles
• Need to ensure graceful handling when custom roles aren't available.

Acceptance Criteria

• Custom roles are considered for all DAP actions (execute/manage/enable for agents/flows)
• Tests verify permission resolution with custom roles
• Works correctly on Ultimate tier
• Gracefully handles Premium tier (custom roles not available)

Related

• Parent Epic: #19743 (closed) - [Backend] Role-based permissions controls for DAP
• Related Epic: #19601 - Implement role-based access permissions for DAP
• Related: Custom Roles documentation: https://docs.gitlab.com/user/custom_roles

Notes

This is planned for a later iteration after the initial minimum role implementation is complete. The minimum role approach provides immediate value while custom roles support can be added incrementally for enterprise customers who need more granular control.

The key insight is that custom roles would work alongside minimum role settings, not replace them. Admins can use minimum roles for broad access control and custom roles for specific exceptions or specialized teams.