Prohibit admin impersonation of other users
Description
GitLab allows administrators to impersonate other users, taking actions on behalf of these users. GitLab does not provide an audit trail for actions taken under impersonation, and some higher security environments may wish to disable this feature to improve the reliability of the audit trail. Beyond auditing, some organizations may wish to disable this feature for security.
Approach
We should add an option to config/gitlab.yml and gitlab.rb that disables admin impersonations. Impersonations should be enabled by default.
When impersonations are disabled:
- Attempting to impersonate in the UI or via impersonation token (either by using an existing token or attempting to create a new one) should throw an error.
OP from @devcurmudgeon:
Description
GitLab allows admin staff to impersonate other users. In some situations GitLab user organisations may need to turn this feature off, and be sure that audit trails and history truly reflect the users that performed the actions, for example where projects are subject to external audit.
Proposal
It's not clear to me how this functionality is currently implemented, so I can't comment on how to turn it off, but it should be possible for an organisation working in (say) a secure or safety-critical environment to assert with complete confidence that relevant gitlab code history and other metadata are intact, and could not have been modified by a rogue admin.
Overview
Where GitLab is adopted for (say) regulated industries, the code and processes used to create it may be subject to independent review to establish trust, or to assess liability and accountability in the event.
Use cases
Any organisation that needs to provide guarantees about its code and processes.