Draft: Implement shadow user PoC
What does this MR do and why?
This MR shows a Proof-of-Concept for shadow accounts (scope user account) on GitLab.
This could be used by an AI Agent to authenticate against GitLab APIs, in a way that the identity of the agent will be tied to a service account, but the access permissions will be scoped down to a "scope user" (we renamed "shadow account" to "scope user" to avoid confusion).
This could allow us to have @duo
service account in GitLab, but if someone requests an action from Duo, Dou would not impersonate them, but instead would use its own service account and will be granted access based on intersection of a scope user permissions and service account permissions:
can?(duo_service_account, :read_project, project) && can?(scope_user, :read_project, project)
Edited by Grzegorz Bizon