New Audit Event: Add Audit Event for changing protection on an environment

Release notes

GitLab now records an audit event when the protected status of an environment is updated. This is helpful for auditing any changes to the deployment process, since protected environments are typically used for deploying code to special environments such as production.

Problem to solve

Customers using protected environments need to be able to audit when protections were added or removed.

Intended users

When Environments are either protected or unprotected, an audit record should be generated as is done for protected branches. The user shouldn't experience anything different but an audit record should be logged.

Proposal

As a company moves from the Single User experience to the Invite Other Users and Adopt All Features stages, they may include projects and environments that need to be protected. Since removing protections has potentially harmful effects on the security of the environment, these events need to be logged.

Further details

Permissions and Security

When a Maintainer or Owner protects or unprotects an environment, an audit record should be generated.

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Buyer Personas: CISO, Director - Risk Mgt Enterprise Tier: Premium

Is this a cross-stage feature?

Implementation plan

See Audit Event Guide for details on implementation of Audit events.

Relevant services:

• ProtectedEnvironments::CreateService
• ProtectedEnvironments::UpdateService
• ProtectedEnvironments::DestroyService

Protected environment settings can be changed via API or UI. Both methods of changing should generate an audit event.

• Audit events for project-level protected environments
• Audit events for group-level protected environments