Review and update permissions for compliance center APIs
Problem to solve
In 17.0 editing Compliance frameworks from the group/project settings was removed. This was replaced by using the Compliance projects report.
This was only a UI change and the APIs underneath may still allow certain access to complete functionality
Proposal
Review the APIs used by the compliance center and confirm that:
- Ultimate top level group owners and maintainers have full access
- Ultimate subgroup/project owners and maintainers have view access
- Premium top level group owners and maintainers have access to add/edit/apply frameworks (not adherence or violation)
- Can not edit/add compliance pipelines
- Can not link policies
- Premium subgroup/project owners and maintainers have view frameworks access (not adherence or violation).
Potentially this will require a breaking change
Edited by Nate Rosandich