Allow reporters to run jobs that deploy to an environments if they are explicitly listed
Problem to solve
Users that have no access to modify the code (Reporters) ought to still be able to Approve MRs and Deploy to Protected Environments when they are designated as approvers or deployers
When an operator is “allowed to deploy” to production, they need developer access and the ability to push/merge into the branch (if it's protected) in order to deploy into protected environments. This permits operators to commit code, causing auditing concerns.
A similar issue exists when a non-code-contributing Approver for merge requests is required. They must be developers to approve Merge Requests.
Intended users
Further details
-
We will need to add a configuration option for groups to select maintainers cannot deploy, and only this deployer role can deploy.
-
We want to let reporters run jobs but only if it’s job that has environment and they are allowed to deploy environments
This feature will work like this from the user's perspective:
- A group is created with Reporter access, eg: deployers
- The user is added to the deployers group as a Reporter
- The deployers group is added to the project with Reporter access
- A Protected Environment is added against production with the group deployers having access
Proposal
Spawned from: #201898 (closed)
The idea is to use reporters as "operators".
I would suggest the following logic:
- If the environment isn't protected, only developers can deploy.
- If environment is protected, then all users/groups directly listed in the protected environment can deploy if they have at least reporter permissions to the project.
Permissions and Security
The proposed solution does introduce an inconsistency given that it's an outlier that "allowed to deploy" users now have an elevated level of access specific to deployments. However, without it, I do not see a way to provide true segregation of duties.
The permissions are paired within the Core Policies and the EE Policies.