Allow admins to mark Users as service users
Problem to solve
Currently the app is unable to distinguish between Users intended to represent humans, and Users intended to represent bots and other automated entities. GitLab EE has a concept of User#bot_type
, but currently that only distinguishes GitLab-specific bots. Admin-created service users, like GitLab's own @gitlab-bot, look just like ordinary Users to the app. That is a problem for features like Code Review Analytics, which is currently unable to ignore custom bot "service user" comments as it needs to.
Adding a "service user" flag is also the first step toward other features, including:
- ignoring service users in licensing
- making bot activity visually distinct from human activity
- improving security by making service user accounts more restricted
Proposal
For all paid tiers (Bronze/Starter tiers and above):
- There is a checkbox for "Service User" on the admin User creation page (/admin/users/new)
- Service Users cannot have DeployKeys or DeployTokens
- GitLab bots are considered service users
For example:
Out of scope
The API is out of scope, because only one mechanism is necessary for an MVC and the API would probably be used much less often than the admin area. The spec for the API would be: A boolean attribute for service_user
is accepted when creating (POST /api/v4/users) or updating (PUT /api/v4/users/:id) a User (documentation).
Permissions and Security
Admin permissions are required to create a service_user
or mark an existing User as a service_user
. This is consistent with the existing permissions.
Documentation
2020-01-23 updated by @djensen to switch bot
to service_user
and specify tiers.
2020-01-24 updated by @djensen to switch "Account" section to "Access" section and describe other use cases.