Allow Group-level protected environments to take inherited membership into account
Summary
Groups added as allowed to deploy to protected environments only allow direct members to deploy. Inherited members are not allowed to deploy to a protected environment.
Current behavior
- Configure the following group/project structure, where
UserAis added as aMaintainerofParent_GroupandUserBis added directly toDeploy_Groupas aMaintaineras well.
Parent_Group:
- Deploy_Group
- Project- Add
Deploy_Groupas a group allowed to deploy into `Project' protected environment. - As
UserB, try to deploy to the protected environment onProject. This operation succeeds. - As
UserA, try to deploy to the same protected environment. This operation fails becauseUserAdoesn't have the necessary privileges for deployment.
UserA should be able to deploy because by being a Maintainer on Parent_Group, they receive Maintainer privileges on Deploy_Group as well via inheritance, but inheritance is currently not taken into account for protected environments.
Proposal
- Add an option to Protected Environment to change the group-base access check behavior.
- There are two types for group-base access:
-
direct... Only direct members can deploy. -
all... All members can deploy, including inherited members.
-
- Add
group_inheritance_typecolumn toprotected_environment_deploy_access_levelstable.-
{ direct: 0, all: 1 }. - The default is
direct.
-
- Extend API to allow users to set the value.
Edited by Shinya Maeda