Add "Manage CI/CD Variables" as a custom permission
### Release notes
The Owner role is required to manage group CI/CD variables or Maintainer+ for project variables which can lead to an over privileged user. With the release of this permission, you can create a custom role and set the permission specifically on the user to manage CI/CD variables.
### Problem to solve
As organizations add users to their groups and projects, they are often forced to escalate privileges to achieve a specific permission. In this case, teams have to promote users to "Owner" for group variable management or developers-\>maintainers to project variable management.
This often leads to users in organizations escalating privileges only to manage single resource. Another side effect is members in an organization tracking down maintainers or owners to modify these settings. Allowing organizations to be selective of who can manage these variables will mitigate risk and speed up their process.
### User experience goal
1. When creating a role, any base can be selected. A new permission is available and labeled as "Manage CI/CD Variables".
2. This role will allow a team member to edit `CI/CD variables` depending on how the role is targeted. When "Target" is referenced, this implies if the role is assigned on the group or project level.
3. If the user role is targeted at the group level, they will be able to edit group `CI/CD variables` and its subgroup+projects `CI/CD variables`. This continues to follow the waterfall permission model.
4. If the user role is targeted at the project level, they can only edit `CI/CD variables` for the project.
### Proposal
- [ ] Add a new permission called `cicd_variables_manage`
- [ ] Scope includes CI/CD variables at the group level. The user can create, edit, view, and delete these variables. This will only display if the role is targeted at the group level.
- [ ] Scope include CI/CD variables at the project level. The user can create, edit, view, and delete these variables. This will display if the role is targeted at the higher group level OR at the current project.
- [ ] This does not include instance variables.
- [ ] Documentation to available permissions.
API:
- REST - Project Level Variables: https://docs.gitlab.com/ee/api/project_level_variables.html
- REST - Group Level Variables: https://docs.gitlab.com/ee/api/group_level_variables.html
- GraphQL - Project Level Variables: https://docs.gitlab.com/ee/api/graphql/reference/#ciprojectvariable
- GraphQL - Group Level Variables: https://docs.gitlab.com/ee/api/graphql/reference/#cigroupvariable
UI
- Under group settings, they can only view CI/CD -\> "Variables" section.
- Under project settings, they can only view CI/CD -\> "Variables" section.
### Intended users
* [Sasha, Software Developer](https://handbook.gitlab.com/handbook/product/personas/#sasha-software-developer)
* [Rachel, Release Manager](https://handbook.gitlab.com/handbook/product/personas/#rachel-release-manager)
* [Priyanka, Platform Engineer](https://handbook.gitlab.com/handbook/product/personas/#priyanka-platform-engineer)
* [Sidney, Systems Admin](https://handbook.gitlab.com/handbook/product/personas/#sidney-systems-administrator)
### Related issues
- https://gitlab.com/gitlab-org/gitlab/-/issues/421795
### Does this feature require an audit event?
This should be captured under a [custom role change.](https://gitlab.com/gitlab-org/gitlab/-/issues/427954 "Audit Assignment of Role to User (change of roles OR new role)")
## Evidence
* https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1579653185
* https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1497709588
* https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1563798208
* https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1345482680
* https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1498560108
* https://gitlab.com/gitlab-org/gitlab/-/issues/391760#note_1550198109
_This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc._
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
*This page may contain information related to upcoming products, features and functionality.
It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes.
Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.*
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
epic