# TL;DR Allow Security Managers to update `duo_sast_fp_detection_enabled`. ## Acceptance Criteria - [x] A feature flag is created called `update_false_positive_detection_setting_permission` - [ ] Security Manager can update `duo_sast_fp_detection_enabled` via REST `PUT /projects/:id` without Maintainer/Owner - [ ] Security Manager can update `duo_sast_fp_detection_enabled` via GraphQL `projectSettingsUpdate` mutation without Maintainer/Owner - [ ] Users without the permission receive 403 error or 404 error - [ ] The setting is included in `sec_ai_workflow_setting_in_params?` check ## Implementation Details **Files to modify:** | File | Change | |------|--------| | `ee/app/controllers/ee/projects_controller.rb` | Add `duo_sast_fp_detection_enabled` to `sec_ai_workflow_setting_in_params?` method | | `ee/app/services/ee/projects/update_service.rb` | Add FP authorization logic similar to `remove_unauthorized_duo_sast_vr_workflow_enabled` | | `ee/app/graphql/mutations/projects/project_settings_update.rb` | Allow FP setting for Security Managers (extend the `args.keys` check) | | `ee/spec/controllers/ee/projects_controller_spec.rb` | Add tests for `duo_sast_fp_detection_enabled` | | `ee/spec/services/projects/update_service_spec.rb` | Add FP setting tests | | `ee/spec/graphql/mutations/projects/project_settings_update_spec.rb` | Add tests for FP setting | **Reference implementation:** See !239266 for the exact pattern used for SAST VR. ## Testing Approach - [ ] Unit tests for controller, service, GraphQL mutation - [ ] Integration tests for permission checks - [ ] Manual validation steps: 1. Start GDK with `GITLAB_SECURITY_MANAGER_ROLE=true` 2. Enable feature flags: `update_sast_vr_setting_permission` 3. Add a user as Security Manager on a project 4. Verify Security Manager can toggle `duo_sast_fp_detection_enabled` via API 5. Verify non-Security Manager gets 403 ## Estimate