Include changes to approval groups in audit log (#213603) · Issues · GitLab.org / GitLab

Include changes to approval groups in audit log

Problem to solve

Currently, there are gaps in the Category:Audit Events log for changes made to MR approval settings. Specifically, if an approval group is added or removed, there is no captured audit event. Additionally, if an individual is added or removed to an existing approval group, there is no audit event.

The lack of these events creates a gap in the nonrepudiation posture of a GitLab environment, which can be problematic for audit or compliance stakeholders looking to track down specific information about a change or when satisfying external auditor requirements for evidence of traceability and auditability.

Intended users

Sidney (Systems Administrator)
Sam (Security Analyst)
The management stakeholders who adhere to any auditing process. To be defined in a new Compliance Persona

Further details

We addressed some related gaps in #7531 (closed) but customer feedback has highlighted additional areas for improvement.

Proposal

Capture audit events for:

Add/Remove an approval group

(suggested copy) e.g. Approval Group was Added to Project at Date/Time

If I add/remove an individual to an existing approval group, no audit event is listed.

(suggested copy) e.g. User was Removed from Approval Group at Date/Time

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references

### Problem to solve

Currently, there are gaps in the ~"Category:Audit Events" log for changes made to MR approval settings. Specifically, if an approval group is added or removed, there is no captured audit event. Additionally, if an individual is added or removed to an existing approval group, there is no audit event.

### Intended users

* [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator)
* [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst)
* The management stakeholders who adhere to any auditing process. To be defined in a new [Compliance Persona](https://gitlab.com/gitlab-org/ux-research/issues/546)

### Further details

We addressed some related gaps in https://gitlab.com/gitlab-org/gitlab/-/issues/7531 but customer feedback has highlighted additional areas for improvement.

### Proposal

Capture audit events for:

* Add/Remove an approval group

(suggested copy)
e.g. `Approval Group` was `Added` to `Project` at `Date/Time`

* If I add/remove an individual to an existing approval group, no audit event is listed.

(suggested copy)
e.g. `User` was `Removed` from `Approval Group` at `Date/Time`

### Permissions and Security

### Documentation

<!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html

* Add all known Documentation Requirements in this section. See https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements
* If this feature requires changing permissions, update the permissions document. See https://docs.gitlab.com/ee/user/permissions.html -->

### Availability & Testing

<!-- This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier.

What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing?

Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance.
* Unit test changes
* Integration test changes
* End-to-end test change

See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning -->

### What does success look like, and how can we measure that?

### What is the type of buyer?

### Is this a cross-stage feature?

### Links / references

Discussion
Designs