Granular permissions for Job Tokens - Experiment Phase
The Authorization group will be working on Token Permissions. The team is targeting the [experimental release](https://gitlab.com/groups/gitlab-org/-/epics/15234) of Job Token Permissions in 17.8 so project maintainers can reduce access in their CI/CD workflows. Final work includes viewing the [permissions in the allow list](https://gitlab.com/gitlab-org/gitlab/-/issues/502305), [setting the permissions](https://gitlab.com/gitlab-org/gitlab/-/issues/502304) in the UI, and [toggling between permission modes](https://gitlab.com/gitlab-org/software-supply-chain-security/authorization/team-tasks/-/issues/98).
Experimental Phase
* A JWT token is generated with granular scopes and replaces the previous token type.
* A user can either select default or opt-in with fine-grained permissions when adding a group or project.
* A user can scope down the access that is allowed by the group or project and resources it can reach.
* View permissions on the allow list that are associated with the group or project.
* Audit event when permissions are changed.
* Permissions support include those that are available today: https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html#job-token-feature-access
This sets the foundation to resolve https://gitlab.com/groups/gitlab-org/-/epics/3559+ by:
* Offering the ability to scope down the resource access of what the job token can reach instead full role access of the user. This significantly reduces the access, security risk, and potential for misconfiguration.
* In the beta phase, documentation will be available on how to add and contribute permissions to this model.
epic