Allow Auditor users access to all Vulnerability Management features
Problem to solve
The Auditor user's access is not fully supported by all areas of Vulnerability Management. This user is supposed to have read-only access to most data in GitLab. With only some vulnerability management areas supported, it makes these users' jobs more difficult since they cannot always get to the data they need in the most convenient place.
Intended users
Anyone with the Auditor user type.
User experience goal
Auditor users will have the appropriate read-only view and access to all areas of vulnerability management.
Further details
The goal here is two-fold. First, evaluate all vulnerability management features to ensure the Auditor user has proper access. Then, create implementation issues to address any identified shortcomings.
The following are known and best-guess assessments of where things stand today:
Area | Functionality | Current Status | Status Verified? | Implementation Issue |
---|---|---|---|---|
Project | Vulnerability Report | not accessible | no | - |
Project | Security Dashboard | not accessible | no | - |
Project | Security & Compliance menu | not visible | no | - |
Project | Vulnerability details | unknown | no | - |
Group | Vulnerability Report | accessible | no | - |
Group | Vulnerability list export | unknown | no | - |
Group | Security Dashboard | not accessible | no | - |
Group | Security & Compliance menu | visible | no | - |
Security Center |
Security menu entry |
visible | no | - |
Security Center | Vulnerability report | accessible* | no | - |
Security Center | Security Dashboard | accessible* | no | - |
Security Center | Settings | *accessible but cannot add projects, see bug | no | - |
Merge Request | Security widget | unknown | no | - |
Pipeline | Security tab | unknown | no | - |
Permissions and Security
Auditor users should have read-only access to all data presented to a fully-privileged user for all of the above areas. Exporting vulnerability lists is one area that Auditors should have access to even though the report generation could be considered a write action.
Documentation
Minimal changes to Auditor user documentation are probably all that is needed. It might only make sense to mention vulnerability data being accessible.