Granular permissions for the Admin Area
### Problem to solve
Organizations often have support teams who need Admin read access to perform their job but should not have admin write access. This often leads to a bottleneck in work and slows work velocity down leading to inefficiencies. It also can impact compliance as orgs need to run a break glass procedure to grant the user access.
### Proposal
Expand custom roles to support a "Custom Admin Role". Permissions include both read and write and will only be applicable to Admin Area as opposed to group and projects.
### Use cases for access
* View runners and jobs to troubleshoot.
* View subscription/billing to see count of users.
* View list of users and user details to understand access challenges.
* View monitoring details such as background migrations.
* View application settings to troubleshoot.
* Change specific application or instance settings
### Security model
GitLab has 3 access types that can be assigned a user on self-managed: regular user, auditor, and administrator. A regular user or auditor user can be assigned a custom admin role for the Admin Area.
<table>
<tr>
<th>Access</th>
<th>Regular User</th>
<th>Auditor</th>
<th>Administrator</th>
</tr>
<tr>
<td>Groups and projects</td>
<td>Access by member role</td>
<td>
Read all groups and projects
Write permissions by member role
</td>
<td>Full access</td>
</tr>
<tr>
<td>Admin area</td>
<td>
Default: No access
**Custom admin role:** Can read metadata based on X permission. Access to groups and projects from Admin Area based on member role.\*
</td>
<td>
Default: No access
**Custom admin role:** Can read metadata based on X permission. Access to groups and projects from Admin Area based on Auditor access.\*\*
</td>
<td>Full access</td>
</tr>
</table>
\* A regular user assigned a custom admin role with `read_admin_cd` can see all runners and job metadata in the Admin Area. They can only click into the metadata of groups and projects if they have access to those groups/projects.
\*\* An auditor user assigned a custom admin role with X permissions can see all metadata of all groups and projects related to X permissions in the Admin Area. They can also access contents of groups and projects based on the auditor permissions.
### Iterations
* [Experimental - Custom Admin Role](https://gitlab.com/groups/gitlab-org/-/epics/15854) (Complete)
* [Beta - Custom Admin Role](https://gitlab.com/groups/gitlab-org/-/epics/15956) (Complete)
* [GA - Custom Admin Role](https://gitlab.com/groups/gitlab-org/-/epics/15957) (Complete in 18.3)
### Design
https://gitlab.com/gitlab-org/gitlab/-/issues/502203+
### Intended users
* [Sidney (Systems Administrator)](https://handbook.gitlab.com/handbook/product/personas/#sidney-systems-administrator)
* [Priyanka, (Platform Engineer)](https://handbook.gitlab.com/handbook/product/personas/#priyanka-platform-engineer)
* [Cameron (Compliance Manager)](https://handbook.gitlab.com/handbook/product/personas/#cameron-compliance-manager)
### What is the type of buyer?
~"GitLab Ultimate"
### Dogfooding Opportunity
The [support team leverages admin access](https://handbook.gitlab.com/handbook/support/) for GitLab.com. These permissions may reduce the number of support members who need these elevated privileges.
### Reviewed by:
* [x] Security
* [x] Fulfillment (Billing)
### Success Metrics
* Reduce the number of full-privileged admins on Ultimate namespaces by 25% MoM
epic