View Dependency List - Customizable Permissions
Problem to solve
Today users don't have the ability to separate out the duties between the engineering security teams and developers in a way that adheres to the Principle of Least Privilege. Security teams need to be able to view a Dependency List, but don't necessarily need to make changes directly to a code base.
Intended users
Proposal
add the following customer permissions to a custom role (built on top of the Reporter role as a base):
-
View Dependency List
- read_*
Further details
- The new customizable roles framework permissions is additive only. Instead of
Change vulnerability status
permission included as a part of both theDeveloper
andMaintainer
roles, users will need to do something likeReporter
+Change vulnerability status
. - admin_* is the equivalent of read/write, while read_* is the equivalent of read only.
Documentation
Availability & Testing
Available Tier
Implementation Plan
-
Add read_dependency
column tomember_roles
table. -
Add condition role_enables_read_dependency
to project policy. -
Add rule to enable read_dependencies
when therole_enables_read_dependency
condition is satisfied. -
Update documentation
Verification Steps
- Create a new group
- Create a member role via the API. documentation
- List the member roles via the API. documentation
- ensure that a new member role record exists
- Delete the member role via the API. documentation
- List the member roles via the API. documentation
- ensure that the member role record is deleted
See example in #415255 (comment 1480186100) and #415255 (comment 1482172587).
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.