Skip to content

Discovery: Two-person access controls for sensitive project settings

Overview

Making changes to important aspects of a project could result in significant changes. For compliance-minded organizations, this could pose an unacceptable security risk to have a single person in charge of these changes; beyond malicious activity, accidents are always a possibility when there's a single point of failure.

To solve for this, we should introduce a two-person control for sensitive changes that could result in data loss or the exposure of sensitive information.

Proposal

Original Proposal
  • Introduce a two-person access control pattern to the General view in project settings.
  • The use of two-person access controls should be configurable.
    • Ultimate feature.
  • Actions that could remove or expose sensitive information should require two Owners or administrators:
    • Changing project visibility to a less restrictive setting,
    • Changing feature availability,
    • Removing merge request restrictions,
    • Project removal.

clip-2020-02-14

  • Add a Group setting to enable/disable Two-person approvals for (regulated) projects
    • Implement logic for MR approval settings (the same ones in #39060 (closed)) so that if Two-person approvals is enabled
  • Add an entry to the Approvals view within the Compliance Dashboard with an Approve and Deny button
    • The setting that was changed should only take effect if Approved
    • The setting that was changed should retain it's original value if Denied
    • The setting, from the perspective of the requestor, should have a visual indicator that it's "pending approval"
    • The person who changed the setting should receive a notification of the Approval or Denial

Approvals

Additional details

  • Actions that could qualify for two-person approval:
    • Changing project visibility to a less restrictive setting
    • Changing feature availability
    • Removing merge request restrictions
    • Project removal

More detail is needed here around how the workflow and UX might work for the user initiating a sensitive change and how other users become aware of the "second key" need and fulfill/reject the request.

Links & References

→ Figma

→ Mural

Edited by Austin Regnery