Add "Manage CI/CD Settings" as a customizable permission
Release notes
Group owners and project maintainers have the ability to manage CI/CD settings. This often leads to a user becoming overprivileged where they may not need other group or project destructive permissions. With the release of this permission, you can create a custom role to allow a Developer (or any base role) plus this permission to manage CI/CD settings.
Problem to solve
As organizations add users to their groups and projects, they are often forced to escalate privileges to achieve a specific permission. In this case, teams have to promote users to "Owner" for groups to manage variables + runners or for projects to promote to Maintainer without needing the other static role permissions. A few other specifics include:
- Ability for maintainers to configure group runners and CI/CD variables without giving owner access. Users have to ask owners to make these changes or elevate privileges.
- Allow the developer to manage CI/CD variables without promoting to Maintainer.
- Developer leads needing to adjust CI/CD settings.
User experience goal
- When creating a role, any base can be selected. A new permission is available and labeled as "Manage CI/CD Settings".
- This role will allow a team member to edit any
CI/CD settings
under a group or project. - If the user role is assigned at the group level, they will be able to edit group
CI/CD Settings
and subgroup+projectsCI/CD settings
. This continues to follow the waterfall permission model. - If the user role is assigned at the project level, they will only see
CI/CD settings
for the project.
Intended users
Proposal
- When creating a role, any base can be selected. A new permission is available and labeled "Manage Merge Request Settings" that can be selected.
- The permission actions for
admin_cicd_settings
includes:
Group Actions | Project Actions |
---|---|
|
|
- As future CI/CD settings are released, these should be added to this permission
admin_cicd_settings
. - This will not include instance CI/CD settings.
- Overtime, customers may request these resources to be fined grained. For example - today CI/CD variables is available and a future requests can come for artifacts.
Views+Workflows include:
-
Base + permission: Can see Group-> Settings-> CI/CD settings -
Base + permission: Can see Project -> Settings -> CI/CD settings
APIs
- https://docs.gitlab.com/ee/api/project_level_variables.html
- https://docs.gitlab.com/ee/api/group_level_variables.html
- https://docs.gitlab.com/ee/api/protected_environments.html
- https://docs.gitlab.com/ee/api/group_protected_environments.html
- https://docs.gitlab.com/ee/api/pipeline_triggers.html
- https://docs.gitlab.com/ee/api/secure_files.html
- https://docs.gitlab.com/ee/api/graphql/reference/#mutationprojectcicdsettingsupdate
Documentation
-
Permission Description: Configure CI/CD settings at the group or project level. Group actions include .... Project actions include .
-
Update prerequisites for...
Evidence
Edited by Joe Randazzo