### Release notes Group owners and project maintainers have the ability to manage runners. This often leads to a user who is overprivileged where they may not need other group or project destructive permissions. With the release of this permission, you can create a custom role and set the permission to enable least privileged access. ### Background Group owners and project maintainers have the ability to manage runners. This leads organizations elevating a subset of users who need to manage runners that as a consequence can edit other Group/Project settings.. This permission will allow a custom role such as Developer + this permission offering organizations to reduce Owners and Maintainers in their environment ### Proposal and User Experience 1. When creating a role, any base can be selected. A new permission is available and labeled "Manage Runners" that can be selected. 2. If the user role is targeted at the group level, they will be able to perform Group Actions indicated below to the group and sub groups. This continues to follow the waterfall permission model. 3. If the user role is targeted at the project level, they can only perform Project Actions indicated below for the project. 4. The permission actions for `admin_runners` allows create / write (create/update) / delete on Runners and settings including: <table> <tr> <th>Group Actions</th> <th>Project Actions</th> </tr> <tr> <td> Runner Object * [x] Create a group runner * [x] Edit a runner * [x] Delete a runner * [x] View details * Continue to only show objects that the user has access to (jobs/projects) Runner List * [x] View list of runners (all, group or project) and status including filtering * [x] Edit, Resume, Delete Runner on List item * [ ] Registration Token Dropdown Option (Deprecated) Runner Settings * [x] Enable runner instances * [x] Enable stale cleanup </td> <td> Runner Settings * [x] View Project Runners * [x] View Instance Runners * Project Runner * [x] Create runner * [x] Remove runner * [x] Pause runner * Configuration * [x] Enable instance runners * [x] Disable group runners Pipelines View * [x] Clear Cache </td> </tr> <tr> <td> </td> <td> </td> </tr> </table> * API for reference 1. https://docs.gitlab.com/ee/api/runners.html 2. https://docs.gitlab.com/ee/api/graphql/reference/#queryrunner and more Views+Workflows include: - [ ] Base + permission: Can see Group-\> Build -\> Runners - [ ] Base + permission: Can see Group -\> Build -\> Create Runner - [ ] Base + permission: Can see Group -\> Build -\> View Runner Details - [ ] Base + permission: Can see Group-\> Settings \> CI/CD \> Runners - [ ] Base + permission: Can see Projects -\> Settings \> CI/CD \> Runners - [ ] Base + permission: Can see Projects -\> Pipelines \> Clear Runner Cache ### Documentation * [ ] Permission Title: `Manage Runners` * [ ] Permission Description: `Create, view, edit, and delete group or project Runners. Includes configuring Runner settings.` * [ ] Update prerequisites for [Manage Runner Documentation](https://docs.gitlab.com/ee/ci/runners/runners_scope.html), [Configure Runners](https://docs.gitlab.com/ee/ci/runners/configure_runners.html), [Tutorials](https://docs.gitlab.com/ee/tutorials/automate_runner_creation/) with: * [ ] Update group prerequisites: `You must have the Owner role for the group or custom role with the permission "admin_runners"` * [ ] Update project prerequisites: `You must have the Maintainer role for the project or custom role with the permission "admin_runners"` ### Evidence * https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1563798208 * https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1713157342 * https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1579653185 * https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1345654387 * https://gitlab.com/groups/gitlab-org/-/epics/4035#note_1339256544