[BE] Distinguish user vs instance level permissions for granular scopes

Currently, granular scope permission access can be determined as follows:

if scope.all_membership_namespaces
  'all_memberships'
elsif scope.namespace.is_a?(::Namespaces::UserNamespace)
  'personal_projects'
elsif scope.namespace
  'selected_memberships'
else
  'user' # or 'instance'
end

We should add a way to distinguish user vs instance level access.

One way could be to add an enum field to granular scopes to determine access:

personal_projects
all_memberships
selected_memberships
user
instance

This will replace the all_membership_namespaces boolean column.

Edited Nov 10, 2025 by 🤖 GitLab Bot 🤖