Admin account should have an option to escalate permissions
It was proposed here: https://gitlab.com/gitlab-org/gitlab-ce/issues/31564 and later raised here: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/11398#note_30351325.
And we had a good discussion with @DouweM about it.
It seems that our permission model for Admin accounts is very open, where admins are a special type of accounts.
Currently, admin account does have access to whole GitLab and is especially susceptible to any attacks that are targeted on admins.
Maybe we should consider changing how Admin accounts do work? If we would make Admin accounts to behave as regular accounts but have an option to escalate permissions on-demand, instead of being as default this would allow us to slightly simplify the architecture of our permission model, but also increase the security of GitLab.
This could work by requiring the admin to do the operation similar to sudo
, where he has to confirm that operation with password/2FA. In regular use, the admin would be a regular account.