Approve Merge Requests - Customizable Permissions
Problem to solve
Today users don't have the ability to separate out the duties between the engineering security teams in a way that adheres to the Principle of Least Privilege. Security teams need to be able to approve merge requests, but don't necessarily need to make changes directly to a code base.
Intended users
Proposal
-
add the following customer permissions to a custom role (built on top of the Reporter role as a base):
-
Approve Merge Requests
- admin_*
-
- Today users can approve merge requests if they have Developer or higher permissions, are added as approvers at the project or merge request level, or are code owners of the files changed in the merge request. This change removes the requirement of a Developer role and requires the permission
Approve Merge Requests
.
Further details
- The new customizable roles framework permissions is additive only. Instead of
Change vulnerability status
permission included as a part of both theDeveloper
andMaintainer
roles, users will need to do something likeReporter
+Change vulnerability status
. - admin_* is the equivalent of read/write, while read_* is the equivalent of read only.
Documentation
Availability & Testing
Available Tier
Implementation Plan
-
Create a database migration to add a admin_merge_request
column to themember_roles
table. -
Add condition role_enables_admin_merge_request
to project policy. -
Add rule to enable admin_merge_request
when therole_enables_admin_merge_request
condition is satisfied. -
Add a test to ensure this permission works in private projects as well as public projects. example
Verification Steps
Use https://gitlab.com/custom-roles-root-group because it is a root group and has the custom_roles
licensed feature.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.