Get protected environment details via API
Problem to solve
We currently have a proposal to add protected environments features to the API, but the information it returns does not include a way to see who has permissions to deploy.
A customer has requested this feature here: https://gitlab.zendesk.com/agent/tickets/137909
Intended users
Only users who currently have deploy access to a protected environment should be able to view other users with deploy access.
Further details
The main use case here is compliance and consistency - to make sure that the same set of users have access to deploy across protected environments, it would be useful to check which users have deploy access on other related projects, and set those on other projects via the new API proposal I linked above.
Proposal
What I have in mind is a route like this:
GET /projects/:id/environments/:environments_id/deploy_access
with fields for users, groups, and roles of users who are allowed to deploy to that environment.
Permissions and Security
Two lines of thinking here:
- Only Maintainers on the project can view the users with deploy access, since only Maintainers can configure protected environments: https://docs.gitlab.com/ee/ci/environments/protected_environments.html
- Alternatively, any user with deploy permissions on the environment can view others with deploy access.
The second option seems more complex (and potentially expensive for the initial permissions check) so I'd opt for Maintainers only to keep things consistent.