Role-based permissions DAP - Enable on projects permission check integration for custom agents

Summary

This issue integrates DAP (Duo Agent Platform) role-based Enable on projects permission checks into custom agent enablement operations. It ensures that only users with appropriate permissions (maintainer+ by default) can enable or disable custom agents on projects.

Background

As part of the DAP role-based permissions epic (#19743 (closed)), we need to enforce the Enable on projects permission across all DAP agent enablement operations. Custom agents are a core DAP resource that requires proper access controls for project-level enablement.

The Enable on projects permission controls:

  • Enable: Enabling custom agents on projects
  • Disable: Disabling custom agents on projects
  • Toggle: Toggling agent availability on projects

The Enable on projects permission is limited to maintainer+ roles by design.

Requirements

Permission Check Integration

  • Identify all entry points for custom agent enablement operations on projects
  • Integrate DapPermissionService.can_user_perform_action? checks for :enable_on_projects action
  • Ensure permission checks occur before any enablement operation
  • Handle permission denial gracefully with appropriate error messages
  • Enforce maintainer+ minimum role requirement

Enablement Operations to Protect

Enable Operations

  • Enabling custom agents on projects via UI
  • Enabling custom agents on projects via API/GraphQL
  • Bulk enable operations

Disable Operations

  • Disabling custom agents on projects via UI
  • Disabling custom agents on projects via API/GraphQL
  • Bulk disable operations

Toggle Operations

  • Toggling agent availability on projects

Technical Implementation

Locations to Update

Based on the codebase analysis, identify and update all locations where custom agents are enabled on projects. This may include:

  • Agent enablement controllers
  • GraphQL mutations for agent enablement operations
  • API endpoints for agent enablement
  • Project settings interfaces for agent configuration
  • Bulk operation handlers

Permission Check Pattern 

# Before any enable operation on custom agent for project
unless DapPermissionService.can_user_perform_action?(current_user, namespace, :enable_on_projects)
  return error_response('Insufficient permissions to enable custom agents on projects. Maintainer role or higher required.')
end

# Perform enablement operation
perform_agent_enablement_operation(agent, project, params)

Acceptance Criteria

  • All custom agent enablement operations have permission checks
  • Users without Enable on projects permission receive clear error messages
  • Error messages indicate maintainer+ role requirement
  • Permission checks are performant (use caching from DapPermissionService)
  • UI elements for enablement are hidden/disabled for users without permission
  • Integration tests verify permission enforcement
  • Tests cover both allowed and denied scenarios
  • Audit logging captures enablement operations and permission checks

Testing Scenarios

  • User with maintainer role can enable custom agents on projects (default config)
  • User with owner role can enable custom agents on projects (default config)
  • User with developer role cannot enable custom agents on projects
  • User with reporter role cannot enable custom agents on projects
  • Custom permission configuration is respected (maintainer+ only)
  • Instance-level and namespace-level permissions work correctly
  • All enablement operations (enable, disable, toggle) respect permissions
  • Bulk operations respect permissions
  • UI appropriately reflects permission state

User Experience

  • Enablement UI elements are hidden for users without permission
  • Clear messaging when users attempt unauthorized operations
  • Guidance on how to request access or who can perform operations
  • Consistent permission enforcement across UI, API, and GraphQL

Related Issues

  • Parent Epic: #19743 (closed) - [Backend] Role-based permissions controls for DAP
  • Related: #583859 - Enable on projects permission for custom flows
  • Related: #578557 - Role-based permissions DAP - Manage permission

Notes

The Enable on projects permission for custom agents is an important security control. Only maintainer+ users should be able to enable agents on projects, as these can execute code and access resources within projects.

Edited by 🤖 GitLab Bot 🤖