Move Self-Managed Custom Role Definition to Instance Level (#11851) · Epics · GitLab.org

Move Self-Managed Custom Role Definition to Instance Level

### Background Today, for self-managed, custom roles are defined at the group level. It is desired to have custom roles defined at the instance level so that there is one centralized place to create and manage custom roles for an instance admin. ### Proposal Move customizable roles to instance level. Migrate any existing self managed customizable roles to instance level. Includes this issue: https://gitlab.com/gitlab-org/gitlab/-/issues/423755+ **Migration Proposal** <table> <tr> <th>Database/Configuration/API</th> <th>Before 17.0</th> <th>After 17.0</th> </tr> <tr> <td>Roles</td> <td>Root Group Level</td> <td>Instance Level</td> </tr> <tr> <td>Role name</td> <td> </td> <td> Migrated names: \<role_name\> (\<group_name\> - \<group_id\>) Example: Incident Manager (GroupA - 12) </td> </tr> <tr> <td>SAML Link</td> <td> </td> <td>Migrated custom roles will continue to function with SAML integration</td> </tr> <tr> <td>API Endpoint</td> <td> * List all member roles on the group - `GET /api/v4/groups/:id/member_roles` * Add a member role to the group - `POST /api/v4/groups/:id/member_roles` * Remove member role of the group - `DELETE /api/v4/groups/:id/member_roles/:member_role_id` </td> <td> * List all member roles on the instance - `GET /api/v4/member_roles` * Add a member role to the instance - `POST /api/v4/member_roles` * Remove member role of the instance - `DELETE /api/v4/member_roles/:id` </td> </tr> </table> **Feature/Functionality Proposal** | Permission | Before 17.0 | After 17.0 | |------------|-------------|------------| | CRUD on Custom Role objects | Available for both admin and group owners | Admins only | | Assign users | Available for both admin and group owners | No change | | UI | Before 17.0 | After 17.0 | |----|-------------|------------| | Settings | Ability to manage roles from admin settings and root group settings | Ability to manage roles only in admin settings. | | Assign users | Available for both admin and group owners | No change | Deprecation Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/439284+ ## References This came up in a [slack conversation](https://gitlab.slack.com/archives/D04D5FH7JJJ/p1693418326925549)

epic