Organizations often have support teams who need Admin read access to perform their job but should not have admin write access. This often leads to a bottleneck in work and slows work velocity down leading to inefficiencies. It also can impact compliance as orgs need to run a break glass procedure to grant the user access. In response to that we created an admin role that customers can customize to their specific permissions threshold. The Authorization team will be building on the experiment release to make the role more robust with additional available granular permissions and associated UI. ## Problem to solve Expand the feature from [experimental work](https://gitlab.com/groups/gitlab-org/-/epics/15854) to make Admin Custom Role more robust with granular permissions and UI. See development guidelines for beta: https://docs.gitlab.com/ee/policy/experiment-beta-support.html#beta ## Scope As a user, I expect to be able to: - Create a Custom Admin Role with the UI that allows me to set permissions. - View the Admin Custom Role in the Roles + Permissions table with the API and UI. - Audited with an event when an Admin Custom Role is assigned a user. - Set LDAP Admin Sync on users. - Breakout granular permissions including `read_admin_users`, `read_admin_monitoring`, `read_admin_cicd`, and `read_admin_subscription`. Internally, this capability is: - Tested by the GitLab Security Department. - Promoted on a blog for awareness. ## Prerequisites In order to use this feature, I must: * Be on the Ultimate plan * Have enabled the feature flag to test the experimental role. ## Permissions <table> <tr> <th>Permission</th> <th>Description</th> </tr> <tr> <td> `read_admin_dashboard` </td> <td> Dashboard statistics: **Available by default** </td> </tr> <tr> <td> `read_admin_users` </td> <td> View users and user details * /users </td> </tr> <tr> <td> `read_admin_monitoring` </td> <td> Read views * /system_info * /background_migrations * /health_check * /audit_logs * /gitaly </td> </tr> <tr> <td> `read_admin_cicd` </td> <td> View runners in the Admin Area * /runners * /jobs </td> </tr> <tr> <td> `read_admin_subscription` </td> <td> View subscription details in the Admin Area * /subscription </td> </tr> </table>