Grant important missing read_ permissions to the auditor user
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Definition of Done
- Customers want to enable the Auditor user (usually given to security teams) to fulfill their compliance requirements (such as SOX audits) - so grant missing read_ perms for the same
- @jrandazzo can you fill these
- Work through permissions which may be dependent on other configuration settings.
- Misleading "Read" perms that grant mutating permissions should be avoided for auditor.
- It appears that auditor users should not have access to group or project settings which makes me assume that they cannot read those settings.
- IMPORTANT: ensure that auditors cannot read sensitive data such as CI/CD variables or other secrets.
- Specs
- Newly introduced "read" permissions is always enabled for auditors.
- All read permissions in the
GroupPolicyandProjectPolicyare enabled for auditors.
Ian: Another thing to consider is that read permissions might not follow the naming convention of read_ or the read permission might be implemented in an object other than the group or project. We might need some product help to define what permissions an auditor should actually have so that we can write both positive and negative test cases. This might be a good first example of extracting a role from the policy files https://gitlab.com/gitlab-org/gitlab/-/issues/523522+. While an auditor is a type of user, it might be helpful to treat it as a role. Just food for thought.
An initial test (stale) showed the missing permissions
Projects missing 54 read permissions
:read_ai_agents
:read_all_organization_resources
:read_ci_pipeline_schedules_plan_limit
:read_cluster_agent
:read_commit_committer_check
:read_commit_committer_name_check
:read_compliance_adherence_report
:read_compliance_dashboard
:read_compliance_violations_report
:read_coverage_fuzzing
:read_dedicated_hosted_runner_usage
:read_deploy_board
:read_deploy_token
:read_dora4_analytics
:read_enterprise_ai_analytics
:read_external_emails
:read_feature_flag
:read_freeze_period
:read_google_cloud_artifact_registry
:read_grafana
:read_harbor_registry
:read_import_error
:read_internal_note
:read_iteration
:read_limit_alert
:read_member_access_request
:read_member_role
:read_namespace_catalog
:read_observability
:read_pod_logs
:read_pro_ai_analytics
:read_product_analytics
:read_prometheus
:read_protected_branch
:read_protected_tags
:read_reject_non_dco_commits
:read_reject_unsigned_commits
:read_resource_group
:read_runner
:read_runner_cloud_provisioning_info
:read_runner_gke_provisioning_info
:read_runner_usage
:read_runners_registration_token
:read_saved_replies
:read_secret_push_protection_info
:read_secure_files
:read_security_configuration
:read_security_orchestration_policy_project
:read_sentry_issue
:read_statistics
:read_storage_disk_path
:read_usage_quotas
:read_vulnerability_statistics
:read_web_hookGroups missing 44 read permissions
:read_ci_cd_analytics
:read_code
:read_confidential_epic
:read_counts
:read_crm_contact
:read_crm_organization
:read_dedicated_hosted_runner_usage
:read_deploy_token
:read_design_activity
:read_enterprise_ai_analytics
:read_epic_iid
:read_group_activity_analytics
:read_group_analytics_dashboards
:read_group_coverage_reports
:read_group_credentials_inventory
:read_group_saml_identity
:read_harbor_registry
:read_internal_note
:read_jobs_statistics
:read_limit_alert
:read_member_access_request
:read_member_role
:read_namespace_cluster_agent_mapping
:read_namespace_via_membership
:read_note
:read_package
:read_pro_ai_analytics
:read_product_analytics
:read_prometheus
:read_release
:read_resource_access_tokens
:read_runner_cloud_provisioning_info
:read_runner_gke_provisioning_info
:read_runner_usage
:read_runners_registration_token
:read_saml_user
:read_saved_replies
:read_security_configuration
:read_security_orchestration_policy_project
:read_statistics
:read_timelog_category
:read_usage_quotas
:read_vulnerability_statistics
:read_web_hookEdited by 🤖 GitLab Bot 🤖