Developers cannot view security attributes or categories

Summary

Developers with access to a subgroup or project under a group are unable to view or apply predefined security attributes.
Although admin_security_attributes and read_security_attribute permissions exist (maybe incorrectly applied?), GraphQL queries return empty or null responses for security categories and attributes.

Related thread:

#576032 (comment 2811121461)

Observed behavior

getSecurityCategoriesAndAttributes query returns [] or null for non-maintainers (e.g., Developers).
The securityCategories field is null or empty, even though default categories should be returned.

Example queries

For top-level group:

{ group(fullPath: "gitlab-org") { securityCategories { id } } }

→ returns securityCategories: null

For subgroup:

{ group(fullPath: "gitlab-org/security-risk-management/security-platform-management-group") { securityCategories { id } } }

→ returns securityCategories: []

Expected:
securityCategories should include the predefined Business Impact category (and other default categories).

For project-level attributes:

{ project(fullPath: "gitlab-org/project-name") { securityAttributes { nodes { name } } } }

→ Developers see no assigned attributes, even when they exist.

Reference

The relevant resolver appears to be:
ee/app/graphql/resolvers/security/attributes_resolver.rb

Proposed Fix

TBD

Edited Oct 14, 2025 by 🤖 GitLab Bot 🤖