Draft: Restrict free-tier service accounts from creating service accounts

Aleksei Lipniagovrequested to merge
540773-restrict-sa-create-sas into smriti-540770/prevent_sas_from_creating_tlg

What does this MR do and why?

Based on !224247 (closed)

Problem: Service accounts (SAs) on free-tier subscriptions can create other service accounts if they have Owner role on a group or Maintainer role on a project. There is no policy-level restriction preventing this. An SA authenticating via PAT can call POST /groups/:id/service_accounts or POST /projects/:id/service_accounts successfully.

Solution: Adds policy-level prevention that restricts free-tier service accounts from creating other service accounts.

Behavior

Environment Condition SA can create other SAs?
SaaS No provisioning group (instance-level SA) Yes - controlled by GitLab, no changes here
SaaS Provisioning group with no subscription No
SaaS Provisioning group with expired subscription No
SaaS Provisioning group with free plan No
SaaS Provisioning group with trial subscription Yes
SaaS Provisioning group with paid subscription (Premium/Ultimate) Yes
Self-managed No license No
Self-managed Licensed (service_accounts feature) Yes

Regular (human) users are not affected by this restriction.

How to set up and validate locally

Similar to !224247 (closed), but Ability.allowed?(sa, :create_service_account)

On tests

The FreeTierServiceAccountRestriction concern prevents both :create_group and :create_service_account, but no policy enables both abilities. Each test only asserts the ability that's actually enabled in that policy — testing the other would be a no-op (preventing something never enabled).

Policy :create_group enabled? :create_service_account enabled? Tested ability
GlobalPolicy (line 123) :create_group
OrganizationPolicy (lines 19, 31) :create_group
GroupPolicy (ee, line 497) :create_service_account
ProjectPolicy (ee, line 830) :create_service_account

All 4 "disallowed" tests were validated to go RED when the corresponding prevent line is removed from the concern, confirming they test the new behavior and not some pre-existing restriction.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #540774 Part of &20439

Edited by Aleksei Lipniagov

Merge request reports