Auditor role needs to be able to see project settings
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
The Auditor role is added at the instance-level and is granted read-only access to all groups and projects within the instance. This is problematic for compliance-minded organizations with stricter segregation of duties policies. While read-only access is positive, there are further restrictions that should be in place, such as preventing the Auditor from viewing code.
Currently, there is no way for an instance administrator to reduce the scope of an Auditor permissions or customize it beyond simply creating an Auditor user with its default permissions and capabilities.
Additional Information
The Auditor role needs to be able to see project settings, who turned specific settings on or off, and audit logs.
There are likely additional areas an Auditor would need to access with read-only permissions.
Proposal
A suggested proposal here could be to allow for administrators to scope an Auditor user's permissions to exclude viewing any areas of a Project with code.
This will require validation to determine the most necessary areas for access and the critical "no access" components.
What does success look like, and how can we measure that?
(If no way to measure success, link to an issue that will implement a way to measure this)