Provide an "out of the box" "Security Auditor" or "App Sec Admin Role"
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
Make it easier for GitLab customers using Ultimate Edition by providing an "out of the box" Security Auditor or App Sec Admin type of Role. The nomenclature is less important than the notion that this Role would be pre-configured to be able to triage defects found, create policy, and manage policy.
Intended users
InfoSec personas who are focused solely on managing security policy and triaging defects which violate policy, and whom do not write code, but whom do not require the highly privileged Owner Role.
Further details
At present, in GitLab 17.0, it is possible for Ultimate Edition users to create such a Role by leveraging Custom Roles. Commonly, this Role must be able to approve merge requests, view defects found by security analyzers, and update a defect findings' status. Such a Role is usually created by starting with the Reporter Role and adding specific security permissions:
Viewing the dependency list (read_dependency).
Viewing the security dashboard and vulnerability report (read_vulnerability).
Approving a merge request (admin_merge_request).
Changing status of a vulnerability (admin_vulnerability).
Managing security policy linkage (manage_security_policy_link).
Doing so incurs some administrative overhead and it would be a convenience if such a Role were available without needing to create it as a Custom Role.
Proposal
Provide a pre-configured Role which has all the permissions of the Reporter Role, plus the aforementioned five security-centric permissions, as a standard Role in GitLab Ultimate Edition. Name it Security Auditor or App Sec Admin or something similarly meaningful to InfoSec personas.