Refine permissions for security features
Problem to solve
The number of issues related to permissions keeps increasing as we grow and implement more features. There is no clear convention or documentation today and some underlying complexity makes it error-prone when it comes to add or update permissions or new features.
Intended users
devopssecure team members
Proposal
-
Engineering: Write down the list of features provided by devopssecure and the corresponding permissions (from the code). -
UX/Product: Analyse, flag inconsistencies and define the new expectations -
Engineering: Define permission conventions to apply when adding/updating a feature -
Engineering: Update the permissions based on the new expectations - Create new missing policies
- Update existing policies
- Update docs
Documentation
-
make sure public documentation about permission is up to date: https://docs.gitlab.com/ee/user/permissions.html -
create developer-oriented documentation about which permissions we use and how to add new ones
What does success look like, and how can we measure that?
- clean description of our permissions and how to add/update them.
- fewer issues regarding permissions bug or inconsistencies
New permissions summary
| Status | Activity level | Resource | Locations | Licensed feature | Policy | Note |
|---|---|---|---|---|---|---|
| View | License information | Dependency list, License Compliance | License Compliance | Can view repo | ||
| View | Dependency information | Dependency list, License Compliance | Dependency Scanning | Can view repo | ||
| View | Vulnerabilities information | Dependency list | Dependency Scanning | Can view security findings | ||
| View | Black/Whitelisted licenses for the project | License compliance, Merge request | License Compliance | Can view repo |
Inconsistency now it's can read project
|
|
| View | Security findings | MR, CI job page, Pipeline security tab | One of the Secure features | Can read the project and CI jobs | Doesn't exist now | |
| View | Vulnerability feedback | MR | One of the Secure features | Can read security findings | ||
| View | Security dashboard | Project, Group | One of the Secure features | Is Developer+ | ||
| View | Dependency List page | Project | Dependency List | Can access Dependency information | ||
| View | License Compliance page | Project | Licenses List | Can access License information | ||
| Use | Vulnerability feedback (create an issue, dismiss, fix w/suggestion) | Security Dashboard, MR, Pipeline security tab | One of the Security features | Is Developer+ | ||
| Manage | Licenses and license policy (approve/blacklist/manually add new) | Merge Request, License Compliance | License Compliance | Is Maintainer+ | ||
| Manage | Vulnerability MR policy (security-gates)(vuln-check) | Merge Request, Settings | One of the Secure features | Is Maintainer+ |
Edited by Tetiana Chupryna