Add Push Rules to restrict modification of MR approvals

Problem to solve

Compliance-minded organizations rely on specific controls within GitLab to adhere to internal company policies and legal or regulatory compliance frameworks. An issue encountered by Administrators of a GitLab instance is an Owner can modify the Merge request approvals settings for a project they own, enabling them to push code into production and then re-enable the Merge request approvals settings. This creates a gap in the separation of duties and access controls policies for an organization and introduces risk to a production environment.

Intended users

• Sidney (Systems Administrator)

Further details

This type of feature has been requested by the following customers (not exhaustive; all links are internal use):

• https://gitlab.my.salesforce.com/0016100001bNIN0?srPos=5&srKp=001
• https://gitlab.my.salesforce.com/00161000004zrG3?srPos=0&srKp=001
• https://gitlab.my.salesforce.com/00161000004xr45?srPos=0&srKp=001
• https://gitlab.my.salesforce.com/0016100000Ut0gh?srPos=1&srKp=001

A blunt approach of restricting all modifications by any non-administrator role is disruptive to productivity, but a precedent already exists for inherited permissions when an administrator changes a setting.

Use Cases

• I'm an administrator who wants to prevent any non-administrators from changing critical project settings

Proposal

Introduce an instance-level setting in Push Rules to restrict the three most important Merge request approvals settings, at the project level:

• Prevent approval of merge requests by merge request author
• Prevent approval of merge requests by merge request committers
• Approvers List
  • This would restrict all action items such as "Edit", "Delete", or "Add"

At the Project level, these settings should only be editable by Administrators, but still be visible to non-admins for information purposes.

Admin Panel View	Project-level View
Checkboxes (OFF by default) an Administrator can select to restrict specific MR approval settings across all Projects	The project-level MR approvals settings section changes to readonly for the settings selected by the Administrator.

We should also consider changing the name of this page from Push Rules to just Rules for now. With the introduction of these changes and potential additions down the road outside of push rules, I'd like to start the process of migrating the concept now.

Permissions and Security

Only Administrators should be able to modify the merge request approval settings that were inherited from the instance-level settings chosen.