Custom roles are not able to be selected for merge request approval policies

Summary

Whenever you attempt to add a specific custom role to a merge request approval policy, you will receive an error message stating Required approvals exceed eligible approvers. even though there are enough eligible approvers as direct members on the projects. I have tested this with roles based on Developer and Maintainer and get the same error.

Steps to reproduce

Create a custom role with Developer as base role and add any additional permissions
Create a sample project
Invite 2 or more users with the custom role to the project
Create a merge request approval policy
Set it for all merge requests on all branches (behaviour applies to any policy)
Select Require 1 approval from and select Role then the custom role you created previously
Enter a name and select save
You will be prompted with an error Required approvals exceed eligible approvers.

Example Project

I have created a public example project for this bug: https://gitlab.com/tloughlin_ultimate_group/public/public-example-organisation/reproduction-project

What is the current bug behavior?

Users are unable to create merge request approval policies that require approval from a custom role.

What is the expected correct behavior?

Merge request approval policies can be created that require approval from a custom role successfully when there are enough approvers with the custom role in the project.

Relevant logs and/or screenshots

Example policy YAML:

approval_policy:
  - name: Demo Policy
    description: ''
    enabled: true
    rules:
      - type: ''
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - 2004608
      - type: send_bot_message
        enabled: true
    approval_settings:
      block_branch_modification: true
      prevent_pushing_and_force_pushing: true
      prevent_approval_by_author: true
      prevent_approval_by_commit_author: true
      remove_approvals_with_new_commit: true
      require_password_to_approve: false
    fallback_behavior:
      fail: closed

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info


  (For installations with omnibus-gitlab package run and paste the output of: \\\`sudo gitlab-rake gitlab:env:info\\\`)  (For installations from source run and paste the output of: \\\`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\\\`)

Results of GitLab application Check

Expand for output related to the GitLab application check


 (For installations with omnibus-gitlab package run and paste the output of: \`sudo gitlab-rake gitlab:check SANITIZE=true\`)  (For installations from source run and paste the output of: \`sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true\`)  (we will only investigate if the tests are passing)

Possible fixes

backend Update ValidatePolicyService#user_ids_by_roles to include the users from custom roles too
backend Update Security::ScanResultPolicyRead#custom_role_ids_with_permission to include base_access_level along with permission check

      member_roles
        .permissions_where(admin_merge_request: true)
        .or(member_roles.where("base_access_level > ?", Gitlab::Access::REPORTER))
        .pluck_primary_key

Edited Aug 01, 2025 by 🤖 GitLab Bot 🤖