Enable manage_self_hosted_models_settings for GitLab Dedicated instances

Summary

Currently, the manage_self_hosted_models_settings ability is restricted to self-managed instances only. GitLab Dedicated customers need the ability to configure and manage self-hosted models (bring-your-own-AI) for their instances, similar to the instance-level model selection capability that was recently enabled for Dedicated in MR !208017 (merged).

Problem Statement

GitLab Dedicated customers, particularly those in regulated environments (e.g., US Public Sector, FedRAMP), require the ability to:

Deploy and manage their own AI Gateway infrastructure
Configure self-hosted models (e.g., AWS Bedrock models in Gov Cloud)
Use these models with GitLab Duo features while maintaining compliance and data residency requirements

Currently, the policy in ee/app/policies/ee/global_policy.rb prevents Dedicated instances from accessing manage_self_hosted_models_settings due to the self_hosted_models_allowed condition check.

Current Restrictions

The self_hosted_models_allowed condition (lines 195-202 in ee/app/policies/ee/global_policy.rb) returns false for:

GitLab.com (unless feature flag enabled)
Dedicated instances ← This is the blocker
Instances with Amazon Q connected
Instances without active Duo Enterprise add-on

Proposed Solution

Update the authorization logic to allow Dedicated instances to manage self-hosted models, similar to how MR !208017 (merged) enabled manage_instance_model_selection for Dedicated.

Changes Required

Update self_hosted_models_allowed condition in ee/app/policies/ee/global_policy.rb:
- Remove or modify the Dedicated instance check to allow self-hosted models on Dedicated
- Maintain other restrictions (Amazon Q, Duo Enterprise add-on requirement)
Update controller authorization in ee/app/controllers/admin/gitlab_duo/self_hosted_controller.rb:
- Ensure Dedicated instances can access the self-hosted models configuration page
- Similar to the approach in MR !208017 (merged) which uses can_any? to check for either manage_self_hosted_models_settings or manage_instance_model_selection
Update UI/Frontend to handle Dedicated instances:
- Ensure the self-hosted models UI is accessible on Dedicated
- May need to hide/disable features not applicable to Dedicated (e.g., "Add self-hosted model" button if not supported)
Update GraphQL resolvers and mutations to support Dedicated:
- Ensure queries and mutations for self-hosted models work on Dedicated instances
- Maintain proper authorization checks

MR !208017 (merged) - "Ensure instance-level model selection page is accessible in Dedicated instance"
Issue #569874 (closed) - "Show Duo Self-Hosted page to Dedicated"
Work Item gitlab-com/gl-infra/gitlab-dedicated/team#10646 - "Configure BYO-AI for CompSecGov"

Use Cases

US Public Sector/FedRAMP Compliance: Deploy FIPS-compliant AI Gateway in AWS Gov Cloud
Data Residency Requirements: Host AI models in specific geographic regions
Compliance & Security: Maintain full control over AI infrastructure and data flow
Cost Optimization: Use customer-preferred model providers and platforms

Definition of Done

Dedicated instance admins can access the self-hosted models configuration page
Dedicated instance admins can declare and configure self-hosted models
Dedicated instance admins can assign self-hosted models to Duo features
Authorization checks properly enforce Duo Enterprise add-on requirement
UI appropriately reflects Dedicated-specific constraints
Tests verify Dedicated instances can use manage_self_hosted_models_settings
Documentation updated to reflect Dedicated support

Technical Notes

The implementation should follow the pattern established in MR !208017 (merged), which:

Updated the global policy to allow Dedicated instances
Modified the controller to check for either permission
Updated the frontend to conditionally render UI based on instance type
Added appropriate tests for Dedicated scenarios

Edited Jan 19, 2026 by 🤖 GitLab Bot 🤖