## Summary This issue serves as a collection point for identifying all locations in the codebase that need to consider and use the new DAP (Duo Agent Platform) role-based permissions for agents and flows. ## Background As part of implementing the role-based permissions defined in #578270, we need to systematically identify and catalog all code locations that currently handle or will need to consider DAP role-based permissions for: - **Manage** actions (Create, Duplicate, Edit, Delete) - **Run** actions (executing agents/flows) ## Related Issues - Parent issue: #578270 - Permissions Model for GitLab Duo Automate (Agents & Flows) - Related Epic: Agent Identity Epic #19478 ## Permission Summaries Summaries of existing `execute` permissions and related authorization checks for DAP features when accessed through the **GitLab UI**: 1. [Flow Triggers](https://gitlab.com/gitlab-org/gitlab/-/issues/578370#note_2867682504) 2. [Agentic Chat](https://gitlab.com/gitlab-org/gitlab/-/issues/578370#note_2867682504) 3. [Built-in Flows](https://gitlab.com/gitlab-org/gitlab/-/issues/578370#note_2868088458) > [!note] > > These summaries are based on investigation and testing the DAP feature in the GitLab UI. IDE-based execution may follow similar flows, this requires further verification and is not covered in these summaries. Summary for existing `manage` permissions: 1. [Manage permissions](https://gitlab.com/gitlab-org/gitlab/-/issues/578370#note_2873758537) ## Areas to Investigate ### Frontend Components - [ ] Agent/Flow listing pages - [ ] Agent/Flow creation forms - [ ] Agent/Flow editing interfaces - [ ] Agent/Flow execution triggers - [ ] Automate menu visibility - [ ] Flow trigger management UI - [ ] Service account selection dropdowns ### Backend Controllers/APIs - [ ] Agent CRUD operations - [ ] Flow CRUD operations - [ ] Flow execution endpoints - [ ] Service account management - [ ] Project/Group automate settings - [ ] GraphQL resolvers for DAP ### Authorization/Policy Classes - [ ] Agent policies - [ ] Flow policies - [ ] Service account policies - [ ] Project/Group DAP policies - [ ] Flow trigger policies ### Database/Models - [ ] Agent model permissions - [ ] Flow model permissions - [ ] Service account associations - [ ] Project/Group DAP settings - [ ] User role intersections ### Configuration Files - [ ] Feature flag configurations - [ ] Route definitions - [ ] Navigation menu configurations - [ ] Role-based permission matrix definitions ## Collection Format For each location found, please add a comment with: ``` **Location**: `path/to/file.rb:line_number` **Component**: [Frontend/Backend/Policy/Model/Config] **Action**: [Manage/Run] **Current Implementation**: Brief description of current logic **Required Changes**: What needs to be updated to consider role-based permissions **Priority**: [High/Medium/Low] ``` ## Search Patterns Use these patterns to help identify relevant code locations: - `duo_agent`, `duo_workflow`, `agent_platform` - `flow_trigger`, `service_account` - `automate`, `DAP` - Permission checks: `can?`, `allowed?`, `authorize!` - Role checks: `maintainer?`, `developer?`, `owner?` ## Next Steps 1. [ ] Conduct systematic codebase search using patterns above 2. [ ] Document all findings in comments below 3. [ ] Categorize findings by priority and complexity 4. [ ] Create individual implementation issues for each area 5. [ ] Estimate effort for each change ## Acceptance Criteria - [ ] All current DAP role-based permission-related code locations are identified - [ ] Each location is documented with required changes to consider role-based permissions - [ ] Findings are prioritized and categorized - [ ] Implementation issues are created for each major area