Update Database Schema for Compliance Frameworks
Why is this change being made?
This merge request makes several important changes to the database schema and architecture for compliance frameworks:
1. Added New ADR (Architecture Decision Record)
Added a new file 008_policy_relationships.md documenting the decision to rely on the evaluation engine to determine if a security policy exists that satisfies a compliance control, rather than using database records to match compliance controls to security policies.
2. Database Schema Changes
- Removed the
security_policy_requirementstable that was previously used to create relationships between compliance requirements and security policies - Added missing
project_compliance_framework_settingstable to manage the relationship between projects and compliance frameworks - Added
audit_eventstable to the ERD diagram to show the relationship with compliance status records - Updated relationships between tables in the ERD diagram to reflect a more normalized data structure
3. Workflow Changes
- Updated the compliance check workflow diagram to show that controls are evaluated directly against settings/policies rather than relying on pre-established database relationships
- Changed the process to get a "distinct list of actionable Controls in Frameworks applied to Project" rather than "all Controls"
- Clarified that controls can have enforcement mechanisms through settings/policies
4. Documentation Improvements
- Fixed a broken link to the Compliance Frameworks MVC issue
- Made minor text improvements and corrections throughout the documentation
- Clarified the relationship between audit events and compliance status records
These changes aim to create a more flexible data organization for implementing the compliance center, particularly by relying on real-time evaluation of policies rather than maintaining static relationships in the database.
Author and Reviewer Checklist
Please verify the check list and ensure to tick them off before the MR is merged.
-
Provided a concise title for this Merge Request (MR) -
Added a description to this MR explaining the reasons for the proposed change, per say why, not just what - Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
-
Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI) - If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
Maintained bysection on the page being edited - If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
- The when to get approval handbook section explains the workflow in more detail
- If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
-
For transparency, share this MR with the audience that will be impacted. -
Team: For changes that affect your direct team, share in your group Slack channel -
Department: If the update affects your department, share the MR in your department Slack channel -
Division: If the update affects your division, share the MR in your division Slack channel -
Company: If the update affects all (or the majority of) GitLab team members, post an update in #whats-happening-at-gitlab linking to this MR - For high-priority company-wide announcements work with the internal communications team to post the update in #company-fyi and align on a plan to circulate in additional channels like the "While You Were Iterating" Newsletter
-
Commits
- Update Database Schema for Compliance Adherence
We think these changes to the schema will make it easier to implement the compliance dashboard by creating more flexible data organization.
- Fix link to Compliance Frameworks MVC issue
The link to this issue contained an extra + which broke the link.