DRAFT: New API endpoint to add service accounts to group
What does this MR do and why?
A proof-of-concept to demonstrate what the code might look like if we add a new API endpoint to handle adding service accounts to groups, separate from the primary Membership APIs. This would be EE-only, with limited scope, and using separate permissions checks. This would allow us to handle adding service accounts to groups, even when group restrictions would normally disallow it. The impetus for this was restrictions on user management for LDAP-synced groups, but there may be other restrictions it makes sense to bypass for service accounts.
Open questions:
- How much effort-over-time do we expect for this endpoint to maintain feature parity with add-users-to-groups API?
- Would we need a similar add-service-accounts-to-projects API endpoint?
- Are there sufficient differences between the
:admin_service_accountspermission and:admin_service_account_memberspermission?
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.