Security Access Controls for Issues - Feature Request
Overview of the challenge
There is currently no way to limit access to confidential issues to specific groups and users within a Project. We have a feature in Issues called "This issue is confidential and should only be visible to team members with at least Reporter access." This feature allows at least Reporters to have access to view the issue.
Core concern
It is my understanding that many people have Reporter access and most peoples are that level or higher, so most people will be able to view a confidential issue. The creator of the issue has no control over who has what role such as Reporter (due to the role being set at the Project level). If my issue was truly confidential, this would cause security and confidentiality concerns for me when using Issues, especially within an Enterprise environment.
Considerations and value add
- This feature would be ideal for Enterprise-grade customers with large complex projects like www-gitlab-com or groups of projects.
- The addition of this feature would help solve potential compliance challenges such as FISMA (i.e...NIST 800-53 controls like AC-6 Least Privilege)
- Access controls are a good way to mitigate the impact of a compromised account
- There could be other areas within GitLab outside of Issues that this feature could come into play. I could see a situation where this could scale throughout the product.
Recommendation
Create access controls management features such as functional privileges which can be tied around individual and groups of users to manage access and privileges within Issues.