## Problem to solve Users can only add one project at a time to the allowlist for which projects can use their CI_JOB_TOKEN to access this project. For organizations that have a lot of projects within each group, this process can be quite tedious, and there's a chance of missing out on some. ## User experience goal Users should be allowed to add a group, rather than needing to individually add each project within that group to their inbound token access list. ## Proposal Allow groups to be added to the inbound CI_JOB_TOKEN access list. #### Overall behaviour * The feature is enabled by default, with the project itself included in the allowlist. Behaviour: * **Feature enabled (Toggle on):** * Allows the project to be accessed by other groups or projects. * The allowlist is active. * **Feature disabled (Toggle off):** * Restricts access to the current project only. * The allowlist is ignored. * Users can add a group or project to the allowlist. * When user add a group to the allowlist, the projects associated with this group will not count towards the 200-project limit. #### Design and details :point_right: [**See the most updated design by clicking the `Designs` tab**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519/designs/1_DefaultState_FeatureEnabled.png "1_DefaultState_FeatureEnabled.png") #### Intended users * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/product/personas/#delaney-development-team-lead) * [Sasha (Software Developer)](https://about.gitlab.com/handbook/product/personas/#sasha-software-developer) * [Priyanka (Platform Engineer)](https://about.gitlab.com/handbook/product/personas/#priyanka-platform-engineer) ## **More background and context for this issue** * The [limit a project's job token access](https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html#limit-your-projects-job-token-access) is deprecated and will be removed in the 17.0 milestone. * Related issue: [Configure Job Token scope at group level](https://gitlab.com/gitlab-org/gitlab/-/issues/342842/ "Configure Job Token scope at group level"). * Refer to the research issue [Solution validation: CI_JOB_TOKEN overall behavior](https://gitlab.com/gitlab-org/ux-research/-/issues/2608 "Solution validation: CI_JOB_TOKEN overall behaviour") for related context and scenarios in comments. ## Implementation plan | MR | status | | ------ | ------ | | 1a. core functionality: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151693+ | :white_check_mark: | | 1b. update documentation to read "group or project" instead of just "project": https://gitlab.com/gitlab-org/gitlab/-/merge_requests/152440+ | :white_check_mark: | | 1c. relabel the toggle: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151704+ | :no_entry_sign: [reverted](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/155916) | | 2a. make the table look nicer: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151728+ | :white_check_mark: | | 2b. make the form look nicer: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151730+ | :white_check_mark: | | 2c. restore the improvements from `!151704` without renaming the toggle: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156989+ | :white_check_mark: | <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->