Implementation: Adding two-person approvals for sensitive changes
Problem to solve
Some project settings or activity require additional scrutiny at compliance-minded organizations because changes to these areas can impact their compliance posture or introduce unnecessary risk to their GitLab groups and projects. For example, a customer may want to require a minimum of two approvals for merge requests, but might also want to provide an "escape hatch" for urgent deploys that need to bypass that process.
Currently, there's no way for users to request, document, and obtain approval for sensitive changes they'd like to make to regulated projects.
Please see this issue for our discovery on this feature.
Intended users
User experience goal
A user should be able to request approval to change sensitive settings, such as MR approval rules.
An owner should be able to approve or deny a requested change.
Proposal
- Add a
Groupsetting to enable/disableTwo-person approvalsfor (regulated) projects - Implement logic for
MR approval settings(the same ones in #39060 (closed)) so that ifTwo-person approvalsisenabled, then changes to those settings result in: - Add an entry to the
Approvalsview within the Compliance Dashboard with anApprovebutton instead ofDone(maybe anXto dismiss orDenythe notification?) - The setting that was changed should only take effect if
Approved - The setting that was changed should retain it's original value if
Denied - The setting, from the perspective of the
requestor, should have a visual indicator that it's "pending approval" - The person who changed the setting should receive a notification of the
ApprovalorDenial
| Underlying Logic | MVC |
|---|---|
 |
 |
| The logical flow for changing settings that require approval. | The Compliance Dashboard view for Approvals. Group owners or administrators can view and approve or deny these requests. |