Add foreground execute permission check for Agentic Chat access on SM
What does this MR do and why?
This change adds the Self-managed implementation to check the role-based foreground execute permission before enabling Agentic Chat.
This feature is behind a feature flag.
Depends on !218864 (merged)
References
Using Agentic Chat in a public group/project
In the examples below, where a role is present, it does not meet the minimum access level setting, demonstrating how the role based permission would disable Agentic Chat.
User is a member of the group/project where they are using Agentic Chat
| Current behaviour | With role-based permission enforcement | |
|---|---|---|
|
WebUI |
Agentic Chat is available
|
Role based permission prevents Agentic Chat access using the user's access level
|
|
IDE |
|
|
User is a non member of the group/project, but has membership elsewhere on the instance
| Current behaviour | With role-based permission enforcement | |
|---|---|---|
|
WebUI |
Agentic Chat is available
|
Role based permission prevents Agentic Chat access using the user's highest access level on the instance
|
|
IDE |
|
|
User has no membership on the instance
| Current behaviour | With role-based permission enforcement | |
|---|---|---|
|
WebUI |
Agentic Chat is available
|
Role based permission prevents Agentic Chat access
|
|
IDE |
|
|
Using Agentic Chat in a non namespace context
In the examples below, where a role is present, it does not meet the minimum access level setting, demonstrating how the role based permission would disable Agentic Chat.
User is a member of the group/project where they are using Agentic Chat
| Current behaviour | With role-based permission enforcement |
|---|---|
|
Agentic Chat is available
|
Role based permission prevents Agentic Chat access using the user's access level
|
User is a non member of the group/project, but has membership elsewhere on the instance
| Current behaviour | With role-based permission enforcement |
|---|---|
|
Agentic Chat is available
|
Role based permission prevents Agentic Chat access using the user's highest role on the instance
|
User has no membership on the instance
| Current behaviour | With role-based permission enforcement |
|---|---|
|
Agentic Chat is unavailable
|
Agentic Chat remains unavailable
|
How to set up and validate locally
-
- Additionally, see prerequisites
-
Start GDK in Self-managed mode:
export GITLAB_SIMULATE_SAAS=0 -
Create a group and project with DAP enabled for the instance
-
Enable the feature flag:
Feature.enable(:dap_instance_customizable_permissions, :instance) -
Update the minimum access level for foreground execution:
::Ai::Setting.instance.update!(minimum_access_level_execute: ::Gitlab::Access::DEVELOPER)
WebUI testing steps:
- Create a new user and add them as a member with Guest access in the group created in step 3
- Sign in as this new user and verify these scenarios
- Agentic Chat is unavailable in the group created in step 3
- Agentic Chat is unavailable in the project created in step 3
- Agentic Chat is unavailable from global pages, such as http://gdk.test:3000/dashboard/todos
IDE testing steps:
-
Set up DAP in your IDE
- Create a new IDE profile for your Guest user
- Using the Guest's IDE profile, open the project created in step 3
- Verify Agentic Chat is unavailable for the user
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.