Provide a Configuration option to prevent Maintainers from adding/editing environments to projects
Release notes
If you are looking for a way to maintain separation of duties in GitLab by using Maintainers and Developers, but are discouraged that Maintainers can add or remove environments, we have now have a solution! In 13.7, users can now configure Maintainer's ability to remove or change environments.
Problem to solve
Some organizations allow Developers to set up environments for development, testing, etc., except for deploying code to production. To enable this type of permission requires said users to have a Maintainer role, but, currently, would not prevent said users from creating or modifying environments, including production. Providing a configuration option for the Maintainer role wherein the ability to add/edit environments can be managed and/or restricted would enable an organization to give developers the necessary permissions to configure projects as needed without the risk of breaking compliance policies.
Intended users
- Cameron (Compliance Manager)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Rachel (Release Manager)
- Allison (Application Ops)
- Priyanka (Platform Engineer)
User experience goal
A user should be able to go to the settings of their group and project to prevent maintainers from adding or editing environments.
Proposal
Based on this proposal.
- Developer or above role can create a non-protected environment. (Existing)
- Only allowed members (Role base, User-name base or Group-name base) can deploy to a protected environment. (Existing)
- We introduce a new feature to lock the protected environment rules. This lock can be controlled by only Owner (higher than Maintainer)
- When the protected environment rules is locked, it becomes read-only for Maintainer role.