Skip to content

Add "Manage Security Policies" as a permission for custom roles

Release notes

The default role Maintainer is required to create, update, and delete security policies which can lead to an over privileged user. With the release of this permission, you can create a custom role and set the permission to enable least privileged access.

Background

Today, a user must be a project or group maintainer to create or update a security policy.

This results in teams escalating a security engineer to owner on the group or project level.

Proposal and User Experience

  1. When creating a role, any base can be selected. A new permission is available and labeled "Manage Security Policies" that can be selected.
  2. This permission admin_security_policies gives them the ability to:
    • Create, Read, Update, and Delete individual security policies at the group or project level.
  3. Permission dependencies
    1. create_project
    2. create_merge_request
Group Actions Project Actions

Create/Update Requirements

  • Merge Request Approval Policy
  • Scan Execution Policy

Create/Update Requirements

  • Merge Request Approval Policy
  • Scan Execution Policy

Read Requirements

  • View security policies

Read Requirements:

  • View security policies

Delete Requirements

  • Delete Policy

Delete Requirements

  • Delete policy

Views+Workflows include:

  • Base + permission: Can see Group+Project -> Secure -> Policies List
  • Base + permission: Can see Group+Project -> Policies -> New Policy Project Button
  • Base + permission: Can see Group+Project -> Policies -> Policy / Edit Policy
  • Base + permission: Can see Group+Project -> Policies -> Edit Policy / Delete Button
  • Base + permission: Workflows in /security/policies/ including creating a MR approval policy and scan execution policy

API for reference

Documentation

  • Permission Title: "Manage Security Policies"
  • Permission Description: Create, read, update, and delete security policies at the group or project level.
  • Update prerequisites for Enforce Policies with ``Owner Role and `custom permission```
Edited by Joe Randazzo