Add "Read Compliance" as a customizable permission

Background

Group owners and project owners have the ability to read + update compliance frameworks, and settings in the compliance center. While admin_compliance_frameworks allows read and write using custom roles, organizations would like to also be able to just read compliance center, frameworks, and settings.

Proposal and User Experience

1. When creating a custom role, any base can be selected. A new permission is available and labeled "Read Compliance" that can be selected.
2. The permission actions for read_compliance includes being able to read compliance capabilities under the compliance center at the group or project level:

Group Actions	Project Actions
Read Compliance Center including: Adherence Violations Frameworks Projects	Read Compliance Center including: Adherence Violations Frameworks

Views+Workflows include:

• Base + Permission: Can see Group > Secure > Compliance Center
• Base + Permission: Can see Project > Secure > Compliance Center

Impacted APIs

Documentation

• Permission Title: "Read Compliance"
• Permission Description: "Read compliance capabilities including adherence, violations, and frameworks for groups and projects."
• Update prerequisites for feature documentation. Include links to feature pages.

Evidence

• #391760 (comment 2218246199)
• #391760 (comment 2087145281)

Implementation Plan

• Using the custom roles doc add read_compliance_dashboard as a custom ability.
• Update group & project policy to enable read_compliance_dashboard when a user is assigned to a member role with that custom ability.
• Add read_compliance_dashboard as a requirement for admin_compliance_framework.
• Create a background migration to enable read_compliance_dashboard when admin_compliance_framework is enabled.
• Disable New framework button in the frontend when read_compliance_dashboard is enabled but not admin_compliance_framework.

Original request

Our customer is trying to incorporate security engineer oversight into their instance but without any of the "write" permissions. Ideally, their security engineers can pull data and vulnerabilities and, in this case, would like to also "read-only" the compliance frameworks available and in place across the instance.

added Category:Permissions groupauthorization typefeature labels

added devopsgovern sectionsec labels

changed milestone to %Backlog

added to epic &12619

Thanks for creating this request @guillene

Customer interested from this comment: #391760 (comment 2218246199)

Customer interested from this comment: #391760 (comment 2087145281)

changed title from Read_Only Permission to View Compliance Frameworks to Add "Read Compliance" as a customizable permission

added customer label

mentioned in issue #391760

changed the description

changed the description

added priority1 label

added workflowplanning breakdown label

@khornergit @nrosandich The groupauthorization is planning to add this permission as a follow-up iteration to admin_compliance_frameworks. Is there anything to consider while adding read only permissions around the compliance center?

Thats great to hear @jrandazzo.

My only consideration would be that at project level the compliance center is already read only. Also some functionality at sub-group level is read only.

@xanf worked on this recently and was planning on putting together some documentation around all the different functionality, namespace levels and permissions.

Thanks @jrandazzo . As @nrosandich mentioned, if we could map it together with the read only functionality that we have at project and sub-group level, that would be great

Otherwise, looks good to me.

@guillene correct me if I'm wrong: if we add "read compliance" permission we will need immediately (as soon as it is available to users) implement it's support on compliance center (currently there is no support of "read only" mode for top-level groups)

/cc @nrosandich

My only consideration would be that at project level the compliance center is already read only. Also some functionality at sub-group level is read only.

Good to know. Confirming - Owner is still required to read this page at the project level?

Correct, either Owner or the compliance permission

changed the description

removed from epic &12619

added gitlab-org#14746 as parent epic

added workflowready for development label and removed workflowplanning breakdown label

changed milestone to %Next 1-3 releases

mentioned in issue gitlab-org/govern/authorization/team-tasks#90

changed milestone to %17.7

added permissionscustom roles label

assigned to @hmehra

added auto-report::OKR5 label

changed the description

changed the description

changed the description

Hey @xanf we have two policies in the compliance area that look similar, read_compliance_framework and read_compliance_dashboard. Since you have recently worked in this area, do you know if they can be combined to be the same policy?

@hmehra no

• read_compliance_framework allows accessing framework information in multiple places (for example you just need custom compliance framework & top-level group access) to access information about current compliance frameworks (so this permission is available to any role - just to see "compliance framework" assigned
• read_compliance_dashboard is an access to compliance dashboard in UI

added workflowin dev label and removed workflowready for development label

mentioned in merge request !175066 (merged)

Async issue update

• Current status: An implementation plan has been added to the issue description, and a draft MR is up !175066 (merged)

• Shipping this milestone: Unlikely

• Scope reduction: Unsure, need to figure out which policies are needed by the APIs, #465324 (comment 2247463727)

changed milestone to %17.8

set weight to 3

added #509555 (closed) as child task

added workflowin review label and removed workflowin dev label

Async issue update

• Current status: MR in review, !175066 (merged)
• Shipping this milestone: Yes
• Scope reduction opportunities: No