Make it possible to disable Personal Access Tokens (PATs) on a SaaS namespace level (#369504) · Issues · GitLab.org / GitLab · GitLab

Make it possible to disable Personal Access Tokens (PATs) on a SaaS namespace level

### Problem Personal Access Tokens (PATs) bypass 2FA/MFA settings. We should provide an option to disable the use of such tokens to enable security-conscious administrators to prohibit this bypass. > Access tokens are not required to provide a second factor for authentication because they are API-based. Tokens generated before 2FA is enforced remain valid. https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users-in-a-group See https://gitlab.com/gitlab-org/gitlab/-/issues/368927#note_1046819362 (confidential issue) for discussion of how this relates to federal compliance requirements. ### Proposal Provide a file-, UI-, or feature flag-based option to disable creation of Personal Access Tokens for 'enterprise users' (users with `enterprise_group_id`) Keep service accounts available even when PATs are disabled. See https://gitlab.com/gitlab-org/gitlab/-/issues/369504#note_1285278550

issue