Settings (Secure & Defend)

Problem to solve

This issue is to discuss whether or not we should consider adding a Settings area for Secure. The problem to solve is that there's currently no way for admins to set requirements for their team. In a UX Feedback call with this customer (GitLab Ultimate customers), they requested the ability to require a comment for vulnerability dismissal. This is one example of something that might go into a Secure settings area.

Intended users

• Cameron (Compliance Manager)
• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Sam (Security Analyst)

User experience goal

The user should be able to find the settings area and set requirements and/or preferences for Secure (and Defend?) features.

Proposal

Some ideas for a settings area:

• Settings > *Security & Compliance (*this would be a new subnav addition under "Settings")
• Security & Compliance > Configuration
• Security & Compliance > *Settings ((*this would be a new subnav addition under "Security & Compliance")
• A settings icon on the current Security Dashboard
• A widget or settings icon from the future Security Dashboard (once it's split out from the Vulnerability List, the latter of which we're currently calling the "Security Dashboard")
• Other ideas?

The "Settings" page is already tied to the Maintainer/ Owner permission level, so that could be the best place to start. However, when it comes to the use case of requiring a comment on a vulnerability dismissal, this would make sense to add from the Security Dashboard. However, we may want to keep in mind that we may have other settings in the future that don't apply to one specific page.

Update (8/26/2020): The location of Secure settings is dependent upon @nudalova and @rayana's Settings UX results

Goals

• Determine what settings (and possibly, preferences) we see needing within the near future (between now ~ FY21) across all Secure and Defend groups
• Determine how to organize these, what levels they should apply to (project/ group/ instance/ all), and where they should live (partly determined by the results of the UX-wide research; see Settings UX epic)
• Plan for research, if needed

Process

• Meet with Threat Insights UX (Andy V) and PM (Matt W) team to establish ownership and collaboration efforts going forward
• Collect needs from Secure and Defend groups (ones on our current radar, anyway - this list will evolve over time!)
• Meet with Rayana who is working on Settings UX across GitLab for consistency across stages
• Affinity diagram to find themes in Mural
• TBD: Meet with Tali if research needs arise

• Iterate, get feedback, iterate, get feedback, iterate

Permissions and Security

Documentation

What does success look like, and how can we measure that?

Links / references

List of setting needs - please contribute!: Google Spreadsheet