Support a feature like AWS IAM Policy Simulator in GitLab
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem
Given the complexity of our architecture with permission inheritance and group/project sharing it is very hard to figure out what permissions are available to a principal if a particular custom role (with custom permissions) is applied to them. We have seen multiple security issues in custom permissions already where the custom permission ended up being too permissive and led to privilege escalation.
Proposal
Roll out a capability like AWS IAM Policy Simulator that can be used by developers (developing these custom permissions) and users (group owners) to see what permissions apply to a given principal if a corresponding custom role is attached to that principal. This will help both developers and customers use custom permissions more effectively and eliminate privilege escalation issues we are seeing currently.
/cc @jayswain @jrandazzo