Prevent admins from accessing group-level protected environment (optional)

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

Organizations with strict compliance requirements need to ensure that only specific users can deploy into their environments. Group-level protected environments limit deploy_access_levels to lists of users or groups. However, admin users are able to override this protection and thus provide a compliance issue. Further, because of the inheritance of members in GitLab groups, adding groups to deploy_access_levels can be problematic in subgroups: Members of the top level group will also be members of the subgroup, leading to situations where the group structure has to be explicitly designed to support a granular definition of groups that are allowed to deploy.

Proposal

Add a parameter membership to the Group-level protected environments API with options all (default and current state, includes inherited members from higher level groups) and direct (only direct members of the groups in deploy_access_levels). direct may exclude admin users as well or, if that is too opaque and against practice for admin users, excluding admins from being allowed to deploy may be a separate paramter.

Intended users

• Cameron (Compliance Manager)
• Allison (Application Ops)

Feature Usage Metrics

• Number of group-level protected environments
• Number of users deploying to group-level protected environments