Include changes to approval groups in audit log
Problem to solve
Currently, there are gaps in the Category:Audit Events log for changes made to MR approval settings. Specifically, if an approval group is added or removed, there is no captured audit event. Additionally, if an individual is added or removed to an existing approval group, there is no audit event.
The lack of these events creates a gap in the nonrepudiation posture of a GitLab environment, which can be problematic for audit or compliance stakeholders looking to track down specific information about a change or when satisfying external auditor requirements for evidence of traceability and auditability.
- Sidney (Systems Administrator)
- Sam (Security Analyst)
- The management stakeholders who adhere to any auditing process. To be defined in a new Compliance Persona
We addressed some related gaps in #7531 (closed) but customer feedback has highlighted additional areas for improvement.
Capture audit events for:
- Add/Remove an approval group
Approval Group was
- If I add/remove an individual to an existing approval group, no audit event is listed.
Approval Group at