Permissions model for insights
Access
Which users should be able to view the insights pages?
This depends on whether this feature is implemented at the project-level, group-level or both.
- Should non-authenticated users be able to view this page for public projects/groups?
- Should access to insights be locked down to a certain role? Say Developer and above?
Resources included for visualisation
Some users may not be permitted to view certain resources that could be indexed by insights visualisations. For example, confidential issues would not be visible to non-project members. If the pages are accessible to non-project members should the counts in the visualisation only reflect the issues that this user's role permits?
For example, if a non-project member was to view a count for issues closed per month. Should this also count the confidential issues that they cannot see? If so, it could lead to discrepancies between the information and counts such a user could gather through similar searches in the issues lists.
-
Feature flag covered -
Project/group view access covered -
Individual resource access covered by using issuable finders