diff --git a/ee/app/policies/ee/group_policy.rb b/ee/app/policies/ee/group_policy.rb index 70dd2b98465a5fb9588289a43a6397038ff9b428..5f7f2d66393762cbdd4c3745669a56f04ec77c43 100644 --- a/ee/app/policies/ee/group_policy.rb +++ b/ee/app/policies/ee/group_policy.rb @@ -390,7 +390,7 @@ module GroupPolicy prevent :override_group_member end - rule { owner & service_accounts_available }.policy do + rule { (admin | owner) & service_accounts_available }.policy do enable :admin_service_accounts end diff --git a/ee/spec/policies/group_policy_spec.rb b/ee/spec/policies/group_policy_spec.rb index 7f40f43b4ef9dd6bd22061403dfa704fe6126735..4532b94734fb5e83bc319ffb54d5b1a3fc04b5ca 100644 --- a/ee/spec/policies/group_policy_spec.rb +++ b/ee/spec/policies/group_policy_spec.rb @@ -2782,6 +2782,18 @@ def expect_private_group_permissions_as_if_non_member it { is_expected.to be_allowed(:admin_service_accounts) } end + + context 'when the user is an instance admin' do + let(:current_user) { admin } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:admin_service_accounts) } + end + + context 'when admin mode is not enabled' do + it { is_expected.to be_disallowed(:admin_service_accounts) } + end + end end end end