Add license "Policy" tab to 'License Compliance' page so that users can easily see existing license policies when viewing licenses (#14061) · Issues · GitLab.org / GitLab

Add license "Policy" tab to 'License Compliance' page so that users can easily see existing license policies when viewing licenses

Title was: Add classifications selection and policies to license compliance

Problem to solve

This issue is based on discovery work done in https://gitlab.com/gitlab-org/gitlab-ee/issues/12941. We now have a dedicated license compliance section, that shows licenses detected in a project per the license scan. Currently, adding a license and classification policy is done in Project>Settings>CI/CD>License Compliance. This means the licenses detected are visible to all users, but the policies are not (unless a newly detected license appears in an MR).

Additionally, in order to mark a license as denied or allowed (binary, one or the other currently no neutral option), the admin user has to manually add the license and classifications to the “License Compliance” settings area. This is a manual process and a significant burden on the user to set up. Also, consider projects that already have licenses in them, in which case the users would have no awareness of these already committed licenses that may be out of compliance.

License compliance classification names have changed, per this issue: #12937 (closed). In %12.5 we are updating/adding the license management/policy section #14061 (closed), which will also update the new classification names in that section. However, the classification names need to be updated in the UI seen in the MR widget.

Follow up issue after completion: #14061 (closed) and than #33870

This is MVC following ~"product discovery" #12941 (closed)

When complete we should be able to click to view policies from the license list in a new tab so i don't have to go to the settings area.

Intended users

Compliance Role wants to see that they are following policies that have been set, edit policies as needed, and set policies for unclassified licenses.
Delaney (Development Team Lead)
Sasha (Software Developer)
Sam (Security Analyst)\
Legal and/or person responsible for orgs compliance

Further details

This MVC lays the foundation for the following next steps: (policies shown against licenses currently detected in the project)
Updates classification names and adds uncategorized option #12937 (closed)

Job's to be done

User that is responsible for compliance: When my organization has policies with licenses, I want to be aware of my companies policies, so I can make sure my project licenses are in compliance with my orgs compliance.
User that is accountable for compliance: When I need to enforce our organization's licenses restrictions, I want to be able to view them and define policies, so that I can ensure a project's compliance.

Proposal

add policy tab and count
on policy tab display columns license and policy
display comments icon next to policies in the column if present, don't if not
mousing over comment icon gets you tooltip with comments

https://gitlab.com/gitlab-org/gitlab/uploads/476eb3f2b7d329f16cd0869dcebdf98d/maintainer.png

Improve the information architecture by unifying licenses detected in a project, with policies designated and created by the admin. This way policies set by the admin will be visible to all project participants.

UI, seen by both developer/maintainer (follow up issue: #34698 (closed) to add edit/add policy)

Update license names that are seen in the MR. This issue is closely related to #12530

Current	New

Classification names that require change:

Uncategorized, newly detected or admin has not selected classification
Approve => Allowed, admin has classified license as acceptable
Approve => Allow, used in the call-to-action seen in the MR (admin view) to classify license as Allowed
Blacklist => Denied, project participant views this classification when admin classified license as not allowed
Blacklist => Deny, used in the call-to-action seen in the MR (admin view) to classify license as unacceptable

These changes would be reflected in: merge request (license modals), Settings > CI (adding new and existing license dropdown), and then in the new policies tab.

Permissions and Security

Developer view may view policies, but can't adjust them
Maintainer may view/add/edit/delete policies
Public projects policy section is not visible to non-project participants (#33659 (closed))
not logged in - no tab and no count

Documentation

License compliance foundations document
Updated classification names issue #12937 (closed)
Update docs https://docs.gitlab.com/ee/user/application_security/license_compliance/#project-policies-for-license-compliance with additional way to see policies

Testing

unit test on NOT seeing as non developer (not logged in, logged in but not dev)
unit test can't see
unit test can see as maintainer, and can edit

ToDo

What does success look like, and how can we measure that?

User navigates to license compliance section then policies tab, when tasked with adding a license classification policy
User understands the difference between "detected in project" and "Policies" section
User is able to add a license and a classification to the policies list
- (We can measure these items in an upcoming user test - ToDo create solution validation issue)
Usage ping for policies added?

We are striving to make the person in charge of compliances job direct and with the least amount of manual work or busy work (copy paste). This should make it simpler to interact with all licenses in the project to be able to see their state, and quickly update as needed.

What is the type of buyer?

Ultimate

Links / references

Discovery issue: #12941 (closed)

Subissue - implement feature flag in UI to toggle tabs and additional "Policies" tab.

Implement feature flag to toggle on and off the displaying of the additional two new tabs "Detected in project" and "Policies"
Implement tabs. This covers rendering the existing licenses table in "Detected In Project"
Show counts in the tabs Notes: This will set us up to start merging this work in pieces without exposing it in production

Subissue - Display Add license header in "Policies tab" and table with dropdown and modal

~~Refactor existing add license UI that we use in license management page so we can use it in two places. In particular the add licenses modal and table.~~ (Now covered in Issue 2 since its a good chunk of work)
Need to decide if we will use client side search or not In the license management page search is done client side. License management uses client side pagination with the Paginated-List component from gitlab-ui. We don't have a re-usable server side pagination table as far as I know. I'm working on one for License List we should be able to use.
After refactor, implement table and modal. ~~Note: We may have to create an entirely separate issue to refactor the license management views/store.~~ (Issue 2 created below)

Implementation Plan

Backend

Frontend

Implement feature flag and policy tab w/ table
Update everywhere in the ui we re-named approval status -> classifications

Documentation update - Who is responsible for this?

User Documentation MR

Product Management - @NicoleSchwartz

Release Post ready just needs images

Title was: Add classifications selection and policies to license compliance

### Problem to solve

This issue is based on discovery work done in https://gitlab.com/gitlab-org/gitlab-ee/issues/12941. We now have a dedicated [license compliance](https://gitlab.com/gitlab-org/gitlab/issues/13582) section, that shows licenses detected in a project per the [license scan](https://docs.gitlab.com/ee/user/application_security/license_compliance/). Currently, adding a license and classification policy is done in Project>Settings>CI/CD>License Compliance. This means the licenses detected are visible to all users, but the policies are not (unless a newly detected license appears in an MR).

License compliance classification names have changed, per this issue: https://gitlab.com/gitlab-org/gitlab/issues/12937. In %"12.5" we are updating/adding the license management/policy section https://gitlab.com/gitlab-org/gitlab/issues/14061, which will also update the new classification names in that section. However, the classification names need to be updated in the UI seen in the MR widget.

Follow up issue after completion: https://gitlab.com/gitlab-org/gitlab/issues/14061 and than https://gitlab.com/gitlab-org/gitlab/issues/33870

This is MVC following ~"product discovery" https://gitlab.com/gitlab-org/gitlab/issues/12941

When complete we should be able to click to view policies from the license list in a new tab so i don't have to go to the settings area.

### Intended users

* Compliance Role wants to see that they are following policies that have been set, edit policies as needed, and set policies for unclassified licenses.
* [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead)
* [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer)
* [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst)\
* Legal and/or person responsible for orgs compliance

### Further details

* This MVC lays the foundation for the following next steps: <add issue> (policies shown against licenses currently detected in the project)
* Updates classification names and adds uncategorized option https://gitlab.com/gitlab-org/gitlab/issues/12937

##### Job's to be done
* *User that is responsible for compliance:* When my organization has policies with licenses, I want to be aware of my companies policies, so I can make sure my project licenses are in compliance with my orgs compliance.
* *User that is accountable for compliance:* When I need to enforce our organization's licenses restrictions, I want to be able to view them and define policies, so that I can ensure a project's compliance.

### Proposal

* add policy tab and count
* on policy tab display columns license and policy
* display comments icon next to policies in the column if present, don't if not
* mousing over comment icon gets you tooltip with comments

https://gitlab.com/gitlab-org/gitlab/uploads/476eb3f2b7d329f16cd0869dcebdf98d/maintainer.png

| UI, seen by both developer/maintainer (follow up issue: https://gitlab.com/gitlab-org/gitlab/issues/34698 to add edit/add policy) | 
| ------ | 
| ![developer](/uploads/adcf4817ed1ffc7a4f3e52894c6585c2/developer.png) |

Update license names that are seen in the MR. This issue is closely related to https://gitlab.com/gitlab-org/gitlab/issues/12530

| Current | New |
| ------ | ------ |
| ![unclassified_current](/uploads/44ab4c9e9262858024968268e4990090/unclassified_current.png) | ![unclassified_new](/uploads/7b744c8046bcc4f92aba98f44dbe9b34/unclassified_new.png) |
| ![clarify_text_current](/uploads/f20b65375e67e6828d5f00112851fbcf/clarify_text_current.png) | ![clarify_text_new](/uploads/8f87d8bc43e9fe3cc2bf46bd32555eb8/clarify_text_new.png) |

##### Classification names that require change:

* **Uncategorized**, newly detected or admin has not selected classification
* Approve => **Allowed**, admin has classified license as acceptable
* Approve => **Allow**, used in the call-to-action seen in the MR (admin view) to classify license as Allowed
* Blacklist => **Denied**, project participant views this classification when admin classified license as not allowed
* Blacklist => **Deny**, used in the call-to-action seen in the MR (admin view) to classify license as unacceptable

These changes would be reflected in: merge request (license modals), Settings > CI (adding new and existing license dropdown), and then in the new policies tab.

### Permissions and Security

* Developer view may view policies, but can't adjust them
* Maintainer may view/add/edit/delete policies
* Public projects policy section is not visible to non-project participants (https://gitlab.com/gitlab-org/gitlab/issues/33659)
* not logged in - no tab and no count

### Documentation

* [License compliance foundations document](https://docs.google.com/document/d/1VHhT75dHpP4eYBiMxrDtNkSfQdwpsnugT0wa0Tqm9wk/edit?usp=sharing)
* Updated classification names issue https://gitlab.com/gitlab-org/gitlab/issues/12937
* Update docs https://docs.gitlab.com/ee/user/application_security/license_compliance/#project-policies-for-license-compliance with additional way to see policies

### Testing

- unit test on NOT seeing as non developer (not logged in, logged in but not dev)
- unit test can't see
- unit test can see as maintainer, and can edit

ToDo

### What does success look like, and how can we measure that?

* User navigates to license compliance section then policies tab, when tasked with adding a license classification policy
* User understands the difference between "detected in project" and "Policies" section
* User is able to add a license and a classification to the policies list
     * (We can measure these items in an upcoming user test - ToDo create solution validation issue)
* Usage ping for policies added?

### What is the type of buyer? 
Ultimate

### Links / references
* Discovery issue: https://gitlab.com/gitlab-org/gitlab/issues/12941

## Subissue - implement feature flag in UI to toggle tabs and additional "Policies" tab.

* [ ] Implement feature flag to toggle on and off the displaying of the additional two new tabs "Detected in project" and "Policies"
* [ ] Implement tabs. This covers rendering the existing licenses table in "Detected In Project"
* [ ] Show counts in the tabs Notes: This will set us up to start merging this work in pieces without exposing it in production

## Subissue - Display Add license header in "Policies tab" and table with dropdown and modal

* [ ] ~~Refactor existing add license UI that we use in license management page so we can use it in two places. In particular the add licenses modal and table.~~ (Now covered in Issue 2 since its a good chunk of work)
* [ ] **Need to decide if we will use client side search or not** In the license management page search is done client side. License management uses client side pagination with the Paginated-List component from gitlab-ui. We don't have a re-usable server side pagination table as far as I know. I'm working on one for License List we should be able to use.
* [ ] After refactor, implement table and modal. ~~Note: We may have to create an entirely separate issue to refactor the license management views/store.~~ (Issue 2 created below)

## Implementation Plan

### Backend

* [x] [Provide the API to display the policies for a project](https://gitlab.com/gitlab-org/gitlab/issues/34824)
* [x] [Provide the API to create a policy.](https://gitlab.com/gitlab-org/gitlab/issues/34825)
* [x] [Provide the API to update a policy.](https://gitlab.com/gitlab-org/gitlab/issues/34826)
* [x] [Rename `approval_status` to `classification`](https://gitlab.com/gitlab-org/gitlab/issues/36782)
* [x] [Rename `blacklisted` to `denied`](https://gitlab.com/gitlab-org/gitlab/issues/38271)
* [x] [Rename `approved` to `allowed`](https://gitlab.com/gitlab-org/gitlab/issues/38278)

### Frontend

* [x] [Implement feature flag and policy tab w/ table](https://gitlab.com/gitlab-org/gitlab/issues/195171)
* [ ] Update everywhere in the ui we re-named approval status -> classifications

### Documentation update - Who is responsible for this?

* [x] [User Documentation](https://docs.gitlab.com/ee/user/application_security/license_compliance/) [MR](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/23825)

### Product Management - @NicoleSchwartz
* [ ] [Release Post](https://gitlab.com/gitlab-com/www-gitlab-com/merge_requests/34460) ready just needs images

Edited Feb 19, 2020 by Fernando Arias

Discussion
Designs