Add license "Policy" tab to 'License Compliance' page so that users can easily see existing license policies when viewing licenses
Title was: Add classifications selection and policies to license compliance
Problem to solve
This issue is based on discovery work done in https://gitlab.com/gitlab-org/gitlab-ee/issues/12941. We now have a dedicated license compliance section, that shows licenses detected in a project per the license scan. Currently, adding a license and classification policy is done in Project>Settings>CI/CD>License Compliance. This means the licenses detected are visible to all users, but the policies are not (unless a newly detected license appears in an MR).
Additionally, in order to mark a license as denied or allowed (binary, one or the other currently no neutral option), the admin user has to manually add the license and classifications to the “License Compliance” settings area. This is a manual process and a significant burden on the user to set up. Also, consider projects that already have licenses in them, in which case the users would have no awareness of these already committed licenses that may be out of compliance.
License compliance classification names have changed, per this issue: #12937 (closed). In %12.5 we are updating/adding the license management/policy section #14061 (closed), which will also update the new classification names in that section. However, the classification names need to be updated in the UI seen in the MR widget.
Follow up issue after completion: #14061 (closed) and than #33870 (closed)
This is MVC following ~"product discovery" #12941 (closed)
When complete we should be able to click to view policies from the license list in a new tab so i don't have to go to the settings area.
Intended users
- Compliance Role wants to see that they are following policies that have been set, edit policies as needed, and set policies for unclassified licenses.
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Sam (Security Analyst)\
- Legal and/or person responsible for orgs compliance
Further details
- This MVC lays the foundation for the following next steps: (policies shown against licenses currently detected in the project)
- Updates classification names and adds uncategorized option #12937 (closed)
Job's to be done
- User that is responsible for compliance: When my organization has policies with licenses, I want to be aware of my companies policies, so I can make sure my project licenses are in compliance with my orgs compliance.
- User that is accountable for compliance: When I need to enforce our organization's licenses restrictions, I want to be able to view them and define policies, so that I can ensure a project's compliance.
Proposal
- add policy tab and count
- on policy tab display columns license and policy
- display comments icon next to policies in the column if present, don't if not
- mousing over comment icon gets you tooltip with comments
https://gitlab.com/gitlab-org/gitlab/uploads/476eb3f2b7d329f16cd0869dcebdf98d/maintainer.png
Improve the information architecture by unifying licenses detected in a project, with policies designated and created by the admin. This way policies set by the admin will be visible to all project participants.
| UI, seen by both developer/maintainer (follow up issue: #34698 (closed) to add edit/add policy) |
|---|
 |
Update license names that are seen in the MR. This issue is closely related to #12530 (closed)
| Current | New |
|---|---|
 |
 |
 |
 |
Classification names that require change:
- Uncategorized, newly detected or admin has not selected classification
- Approve => Allowed, admin has classified license as acceptable
- Approve => Allow, used in the call-to-action seen in the MR (admin view) to classify license as Allowed
- Blacklist => Denied, project participant views this classification when admin classified license as not allowed
- Blacklist => Deny, used in the call-to-action seen in the MR (admin view) to classify license as unacceptable
These changes would be reflected in: merge request (license modals), Settings > CI (adding new and existing license dropdown), and then in the new policies tab.
Permissions and Security
- Developer view may view policies, but can't adjust them
- Maintainer may view/add/edit/delete policies
- Public projects policy section is not visible to non-project participants (#33659 (closed))
- not logged in - no tab and no count
Documentation
- License compliance foundations document
- Updated classification names issue #12937 (closed)
- Update docs https://docs.gitlab.com/ee/user/application_security/license_compliance/#project-policies-for-license-compliance with additional way to see policies
Testing
- unit test on NOT seeing as non developer (not logged in, logged in but not dev)
- unit test can't see
- unit test can see as maintainer, and can edit
ToDo
What does success look like, and how can we measure that?
- User navigates to license compliance section then policies tab, when tasked with adding a license classification policy
- User understands the difference between "detected in project" and "Policies" section
- User is able to add a license and a classification to the policies list
- (We can measure these items in an upcoming user test - ToDo create solution validation issue)
- Usage ping for policies added?
We are striving to make the person in charge of compliances job direct and with the least amount of manual work or busy work (copy paste). This should make it simpler to interact with all licenses in the project to be able to see their state, and quickly update as needed.
What is the type of buyer?
Ultimate
Links / references
- Discovery issue: #12941 (closed)
Subissue - implement feature flag in UI to toggle tabs and additional "Policies" tab.
- Implement feature flag to toggle on and off the displaying of the additional two new tabs "Detected in project" and "Policies"
- Implement tabs. This covers rendering the existing licenses table in "Detected In Project"
- Show counts in the tabs Notes: This will set us up to start merging this work in pieces without exposing it in production
Subissue - Display Add license header in "Policies tab" and table with dropdown and modal
-
Refactor existing add license UI that we use in license management page so we can use it in two places. In particular the add licenses modal and table.(Now covered in Issue 2 since its a good chunk of work) - Need to decide if we will use client side search or not In the license management page search is done client side. License management uses client side pagination with the Paginated-List component from gitlab-ui. We don't have a re-usable server side pagination table as far as I know. I'm working on one for License List we should be able to use.
-
After refactor, implement table and modal.
Note: We may have to create an entirely separate issue to refactor the license management views/store.(Issue 2 created below)
Implementation Plan
Backend
- Provide the API to display the policies for a project
- Provide the API to create a policy.
- Provide the API to update a policy.
-
Rename
approval_statustoclassification -
Rename
blacklistedtodenied -
Rename
approvedtoallowed
Frontend
- Implement feature flag and policy tab w/ table
- Update everywhere in the ui we re-named approval status -> classifications
Documentation update - Who is responsible for this?
Product Management - @NicoleSchwartz
- Release Post ready just needs images