View Dependency List - Customizable Permissions

Problem to solve

Today users don't have the ability to separate out the duties between the engineering security teams and developers in a way that adheres to the Principle of Least Privilege. Security teams need to be able to view a Dependency List, but don't necessarily need to make changes directly to a code base.

Intended users

• Sam (Security Analyst)
• Alex (Security Operations Engineer)

Proposal

add the following customer permissions to a custom role (built on top of the Reporter role as a base):

1. View Dependency List - read_*

Further details

• The new customizable roles framework permissions is additive only. Instead of Change vulnerability status permission included as a part of both the Developer and Maintainer roles, users will need to do something like Reporter + Change vulnerability status.
• admin_* is the equivalent of read/write, while read_* is the equivalent of read only.

Documentation

Availability & Testing

Available Tier

GitLab Ultimate

Implementation Plan

• Add read_dependency column to member_roles table.
• Add condition role_enables_read_dependency to project policy.
• Add rule to enable read_dependencies when the role_enables_read_dependency condition is satisfied.
• Update documentation

Verification Steps

1. Create a new group
2. Create a member role via the API. documentation
3. List the member roles via the API. documentation
   • ensure that a new member role record exists
4. Delete the member role via the API. documentation
5. List the member roles via the API. documentation
   • ensure that the member role record is deleted

See example in #415255 (comment 1480186100) and #415255 (comment 1482172587).

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.