Role-based permissions DAP - Enable on projects permission check integration for custom flows

Summary

This issue integrates DAP (Duo Agent Platform) role-based Enable on projects permission checks into custom flow enablement operations. It ensures that only users with appropriate permissions (maintainer+ by default) can enable or disable custom flows on projects.

Background

As part of the DAP role-based permissions epic (#19743 (closed)), we need to enforce the Enable on projects permission across all DAP flow enablement operations. Custom flows are a core DAP resource that requires proper access controls for project-level enablement.

The Enable on projects permission controls:

  • Enable: Enabling custom flows on projects
  • Disable: Disabling custom flows on projects
  • Toggle: Toggling flow availability on projects

The Enable on projects permission is limited to maintainer+ roles by design. Flows can only be added to a project by a maintainer+.

Requirements

Permission Check Integration

  • Identify all entry points for custom flow enablement operations on projects
  • Integrate DapPermissionService.can_user_perform_action? checks for :enable_on_projects action
  • Ensure permission checks occur before any enablement operation
  • Handle permission denial gracefully with appropriate error messages
  • Enforce maintainer+ minimum role requirement

Enablement Operations to Protect

Enable Operations

  • Enabling custom flows on projects via UI
  • Enabling custom flows on projects via API/GraphQL
  • Bulk enable operations

Disable Operations

  • Disabling custom flows on projects via UI
  • Disabling custom flows on projects via API/GraphQL
  • Bulk disable operations

Toggle Operations

  • Toggling flow availability on projects

Service Account Considerations

Each flow has a service account assigned (see epic #19478 (closed)). Enablement operations should consider:

  • Service account can only be added by an owner+ to a top-level namespace
  • Flow can only be added to a project by a maintainer+
  • Changing flow service account requires appropriate permissions

Technical Implementation

Locations to Update

Based on the codebase analysis, identify and update all locations where custom flows are enabled on projects. This may include:

  • Flow enablement controllers
  • GraphQL mutations for flow enablement operations
  • API endpoints for flow enablement
  • Project settings interfaces for flow configuration
  • Bulk operation handlers
  • Flow import/export functionality

Permission Check Pattern 

# Before any enable operation on custom flow for project
unless DapPermissionService.can_user_perform_action?(current_user, namespace, :enable_on_projects)
  return error_response('Insufficient permissions to enable custom flows on projects. Maintainer role or higher required.')
end

# Perform enablement operation
perform_flow_enablement_operation(flow, project, params)

Acceptance Criteria

  • All custom flow enablement operations have permission checks
  • Users without Enable on projects permission receive clear error messages
  • Error messages indicate maintainer+ role requirement
  • Permission checks are performant (use caching from DapPermissionService)
  • UI elements for enablement are hidden/disabled for users without permission
  • Integration tests verify permission enforcement
  • Tests cover both allowed and denied scenarios
  • Audit logging captures enablement operations and permission checks

Testing Scenarios

  • User with maintainer role can enable custom flows on projects (default config)
  • User with owner role can enable custom flows on projects (default config)
  • User with developer role cannot enable custom flows on projects
  • User with reporter role cannot enable custom flows on projects
  • Custom permission configuration is respected (maintainer+ only)
  • Instance-level and namespace-level permissions work correctly
  • All enablement operations (enable, disable, toggle) respect permissions
  • Bulk operations respect permissions
  • UI appropriately reflects permission state
  • Flow can only be added to project by maintainer+

User Experience

  • Enablement UI elements are hidden for users without permission
  • Clear messaging when users attempt unauthorized operations
  • Guidance on how to request access or who can perform operations
  • Consistent permission enforcement across UI, API, and GraphQL

Related Issues

  • Parent Epic: #19743 (closed) - [Backend] Role-based permissions controls for DAP
  • Related: #583858 - Enable on projects permission for custom agents
  • Related: #578557 - Role-based permissions DAP - Manage permission
  • Related: #19478 (closed) - Service account implementation

Notes

The Enable on projects permission for custom flows is an important security control. Only maintainer+ users should be able to enable flows on projects, as these can execute code and access resources within projects. The restriction that flows can only be added to a project by maintainer+ is an important security boundary.

Edited by 🤖 GitLab Bot 🤖