►
Description
See related epic for more details. https://gitlab.com/groups/gitlab-org/-/epics/6777
A
There
we
go
so
just
to
kind
of
catch.
You
upstream,
I
don't
know
if
you
how
much
you've
seen
of
this
or
not,
but
this
is
like
another
iteration
of
the
of
the
service
accounts
system
that
I'm
making,
and
I
wanted
to
get
your
input
to
see
if
you
had
any
insight
on
the
technical
constraints
or
whatever
we're
missing,
and
I've
already
gotten
some
feedback
from
stakeholders
on
this.
B
B
A
A
This
could
be
subgroup
or
anything
so
ignore
that
this
is
an
architectural
or
a
logical
organizational
system.
This
is
just
an
example,
so,
theoretically
yeah
you
could
do
it
at
the
very
top
level
in
a
self-managed
environment,
which
would
be
the
instance
and
that
would
work
across
the
entire
organization.
C
C
A
A
A
So
the
idea
would
be
that
you
would
create
it,
get
a
name,
give
an
avatar
an
access
role
and
then
the
type
of
token
ignore
skim.
Token
that's
going
to
be
removed
from
this,
but
right
now
the
iteration
is
being
able
to
create
an
access
token
or
deploy
token,
and
then
you
would
change
the
scopes
based
off
of
whatever
you're
trying
to
do.
A
B
A
A
A
We
would
just
create
a
token
and
presumably
would
pick
a
scope,
and
that
would
define
whatever
parameters
it
would
have.
Access
to
the
question
is:
what's
more
complicated,
doing
the
unification
and
breaking
all
the
current
examples
of
the
tokens
or
iterating
on
the
current
features
that
we
have
right
now
allowing
for
this
feature
and
then
just
proceeding
as
like
the
first
mvc,
with
the
caveat
that
I'm
not
sure
how
this
would
work
in
creating
an
access
token,
which
actually
doesn't
generate
a
token
like
I
said
it
generates
a
user.
B
I
think
unifying
the
tokens
would
be
a
lot
more
complex
than
just
iterating
on
our
current,
like
project
bots
and
like
project
access
token.
B
Behavior,
I
think
I
found
a
comment
from
emray
that
I
can
dig
up
and
link
to
you.
Okay,
that
we
could
potentially
reuse
a
lot
of
the
project
bot
logic
when
we
start
implementing
service
accounts,
because
there
are
a
lot
of
things
that
are
pretty
useful
when
it
comes
to
project
bots.
For
example,
it's
not
counted
as
a
licensed
seat.
The
bot
isn't
able
to
log
into
the
system.
It's
like
automatically
added
to
the
project
as
like
a
member,
something,
for
example,.
B
Right
now,
the
thing
limiting
us
from
using
project
bots
as
a
service
account
is
that
project
bots
can't
really
have
multiple
project
access
tokens
within
the
same
project,
at
least.
B
A
B
Is
possible
to
add
it
through
the
rails
console
and
if
we
just
you
know
fiddle
with
some
of
the
code,
I
think
it
would
be
possible
for
a
project
bot
to
have
multiple
project
access
tokens.
A
B
A
So
I've
created
in
the
past
access
tokens
with
this
process.
I
don't
think.
A
A
So
in
this
prototype
the
iteration
would
still
exist
where
you
have
this
yes
screen,
but
the
caveat
is
that
it
now
creates
a
member
or
a
bot.
Well,
this
finishes
compiling
yeah,
but
my
question
is
that
let's
go
back
here,
yes,
so
the
idea
that
I
had
was
that
we
would
actually
have
a
separate
section.
That
would
say
service
accounts
because
currently
it
lives
in
the
members
screen
and
we
wanted
to
try
and
help
separate
the
logic
of
a
user
versus
a
service
account
yeah.
B
A
B
I
am
not
100
sure
about
that.
That
might
be
a
question
for
imrae.
A
A
But
I
can
definitely
chat
with
emra
when
he
gets
back.
I
was
curious
that
maybe
you
might
have
some
insight
on
that,
but
that
was
my
main
concern
right
like
so
the
idea
of
what
happens
when
this
screen
changes
or
should
the
screen
change
at
all
from
here.
Should
I
leave
this
as
an
mvc,
which
I
think.
A
B
And
from
the
screen
we
would
be
able
to
give
a
singular
service
account
multiple
tokens
right
or
maybe
not
exactly
from
this
screen,
but
from
the
previous
one.
The
so.
A
A
A
Done
this,
I
can
actually
click
on
something
else
here
and
generate
a
new
one,
and
it
would
do
that
and
generate
the
token.
This
switch
is
kind
of
a
prototype
bug,
but.
C
C
B
Yeah
there
could
be
a
use
case
for
multiple
access
tokens,
for
example,
one
that
has
like
more
limited
scopes.
Like
you
know,
read
api
only
or
you
know,
read
repository
only
and
one
that
has
some
more
permissions.
B
A
Yeah,
I
guess
that
makes
sense,
because
you
would
call
it
like
api
bot
and
then
you
can
create
another
one
says:
read
bot
and
use
the
read
api
button
and
that
would
change
the
name
of
it.
So
that
would
make
sense
you
would
have
two
bots
doing
two
different
things:
yeah
or
well.
That's
that's
different
bots
right
using
different
tokens
for
one
bot.
That's
where
I'm
curious.
What's
the
benefit
of
that?
Why?
Why?
Wouldn't
you
just
select
multi-select
right.
B
Yeah,
I
suppose
you
could
use
the
one
with
the
wider
permissions
at
all
times,
but
if
you
know,
for
example,
a
company
had
really
strict
like
policies
and
wanted
to
limit
the
scope
of
their
tokens
to
as
like
low
permission
as
possible.
B
Maybe
you
know
some
sort
of
like
internal
requirement.
They
would
have
to
use
a
lower
privilege
token.
B
B
Yeah,
I
know
there's
certainly
some
sort
of
use
case
for
multiple
project
bots,
because
I
keep
getting
pinged
on
this
like
group
level
access
token
epic,
where
customers
request
being
able
to
have
multiple
project
access
tokens,
either
within
the
group
or
within
the
project.
A
We
were
that
was
the
next
iteration
right,
because
we
had
already
made
project
access
tokens.
The
next
creation
was
oh
there.
It
is
group
level
access
tokens,
the
re
the
pushback
was
well.
If
we're
gonna
do
that,
let's
just
make
a
feature
or
a
system
that
does
service
accounts
across
the
entire
organization
at
every
level.
A
So
I'll
take
a
look
at
that
more.
That
was
one
of
the
things
like
I
said.
The
the
confusion
for
me
was
what
happens
with
the
seats
and
then
also
the
unifying
of
the
tokens
and
now
this
question
about
what
happens
or
is
there
a
need
to
have
multiple
tokens
per
bot.
B
Ago
and
it
was
resolved
not
sure
about
the
multiple
tokens
with
different
access
levels
within
the.
B
A
Bot
with
a
different
access
level
and
call
it
like
api
or
read
api
bot,
because
for
me
it
doesn't
make
sense
to
have
variations
if
you're
not
just
do
the
multi-select
at
once
right,
I'm
not
sure
what,
unless
it
might
be
a
thing
where
they've
gone
back.
Oh
I
made
a
mistake.
I
want
to
go
back
and
add
that
that
might
be
the
difference,
but
then
that
would
generate
a
new
token.
A
A
B
A
A
A
A
B
For
example,
like
you
know,
project
access
tokens
create
a
project
bot
and
it's
like
a
personal
access
token
that
is
belongs
to
a
user
and
other
types
of
tokens.
Maybe
like
sim
tokens
or
deploy
tokens
or,
like
you
know,
oauth
tokens,
don't
necessarily
belong
to
a
user
they're.
Just
you
know,
like
a
token
digest.
A
B
Don't
really
belong
to
anyone
so
figuring
out
how
to
balance
you
know,
keeping
like
the
existing
behavior
of
like
project
bots
versus
you
know,
personal
access
tokens
first.
A
B
A
B
A
Okay,
so
that
was
something
that
I
was
concerned
about
is
what
happens
or
what's
the
holdups
for
this?
Does
this
make
sense,
as
the
next
step
for
the
idea
of
access
tokens
or
like,
as
you
said,
is
the
cost
effective?
Is
it
doesn't
make
sense
to
do
this
because
of
the
variations
within
the
tokens
like.
A
C
C
A
C
Okay-
and
so
the
next
question
is,
do
we
have
an
issue
that
proposes
sas?
Groups
can
then
allow
the
use
of
paths
within
their
namespace?
If
our
plan
is
to
standardize
on
service
accounts
and
associated
tokens,
we
should
provide
a
way
to
shut
down.
The
use
of
personal
tokens
is
that
is
that
kind
of
what
we
were
talking
about
with
unifying
tokens,
like
is
pat,
were
personal
access.
Tokens
included
in
the
unification.
B
A
It
doesn't
personal
yeah.
A
A
Okay,
yeah,
so
that
was
kind
of
like
if
we're
going
to
unify
all
the
tokens.
I
want
to
understand:
what's
the
complexity
here
and
that's
where
like
for
me,
the
hold
up
was
well.
Do
I
wait
for
this
unified
token
process
to
go
before
I
start
playing
with
this,
or
is
it
okay
to
just
go
ahead
with
this
iteration?
We
have
here
and
it
sounds
like
we
can
just
go
ahead
and
go
forward
with
iteration,
because
this
might
be
rather
complex.
C
A
A
So
I
think
I
got
most
of
my
questions
answered.
I
don't
know
if
hannah
you
had
any
other
questions.
C
A
No
no
for
me,
it
makes
sense
to
just
go
ahead
and
continue
with
the
the
the
mvc
that
I
have
the
visual
proposed
and
just
use
the
environment
that
we
currently
have
because
there's
no
sense
in
waiting
for
this
unified
token.
If
it's
a
super
complex
item,
it
might
take
a
year
to
get
resolved,
there's
no
telling
right,
but
we
already
have
the
implementation
currently
for
project
access
tokens,
and
then
we
can
offer
that
feature
at
the
group
and
the
instance
level.
Then
that
would
be
tremendous.
B
I've
got
some
ideas
for
some
sort
of
first
iteration
of
service
accounts,
some
of
which
I've
already
brought
up,
but
I
can
create
an
issue
and
send
it
to
y'all
with
like
more
fully
fleshed
out.
You
know
brain
noodling.