Allow Operator (Reporter) to run a pipeline, not just a deployment job
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem
Protected Environment has a feature to allow Reporter role users to execute deployment jobs. This is an important piece for the segregation of duties that:
- Developers have read-write permission to the code. They have read-only permission to higher environments.
- In GitLab permission model, they are assigned to
Maintainerrole.
- In GitLab permission model, they are assigned to
- Operators have read-write permission to higher environments. They have read-only permission to the code.
- In GitLab permission model, they are assigned to
Reporterrole.
- In GitLab permission model, they are assigned to
However, the operators (Reporter role) can't run a new pipeline, so that they have to ask developers to run a new pipeline every time. This is because CI/CD permission is tightly associated with branch/tag access (i.e. code access). To summarize:
-
Developerrole or above can run a pipeline, because they have access to branches/tags. - If the branches/tags are protected, only the assigned users can run a pipeline.
We have to think a way how to allow operators to flexibly run a deployment pipeline, if they have an access to the protected environment.
Related https://gitlab.com/ubs-group1/ubs/ubs-global/-/issues/154
Proposal
TBD
We should evaluate if it makes sense to extend the feature to allow Operators to run a deployment pipeline.