Skip to content

BE: Extend policy bypass option to include user/group selection

Overview

This backend change extends the existing merge request approval policy bypass functionality to support granular user and group selection. Instead of blanket policy bypasses, the system will allow configuration of specific users, groups, and roles who can invoke policy exceptions during critical situations.

What needs to be built

  • User/Group Selection API: Backend endpoints to configure and manage which users, groups, and custom roles can bypass specific approval policies
  • Policy Bypass Authorization: Enhanced authorization logic to validate if the requesting user has bypass permissions based on configured user/group exceptions
  • Git Push Option Extension: Extend git push options to accept and require bypass-reason parameter when policy bypass is invoked, ensuring justification is provided at push time
  • Audit Trail Enhancement: Extended audit logging to capture user identity, group membership, policy context, and bypass reasoning when bypasses are invoked
  • Configuration Storage: Database schema updates to store user/group exception mappings at the policy level

Expected behavior

When a user attempts to bypass an approval policy, the system validates their identity against the configured exception list (users, groups, or roles). Authorized users can proceed with the bypass after providing justification via git push options (e.g., git push -o bypass-reason="Emergency security hotfix"), while unauthorized users receive appropriate error messages. All bypass attempts generate comprehensive audit events regardless of success or failure.

Technical notes

  • Feature should be gated behind a feature flag for gradual rollout
  • Must maintain backward compatibility with existing policy bypass functionality
  • Requires integration with GitLab's existing role-based access control system
  • Git push option bypass-reason must be mandatory when bypass is invoked and validated for minimum content requirements
  • Should support both individual user IDs and group membership validation
  • Audit events must comply with existing security and compliance logging standards
Edited by Alan (Maciej) Paruszewski