Include CSP in the policy hierarchy

Martin Cavojrequested to merge
541510-be-designation-of-a-csp-group-2 into master

What does this MR do and why?

When a group is designated as a CSP group, it is included in the hierarchy of all_security_orchestration_policy_configurations.

This is the first step behind a feature flag to ensure that CSP policies are propagated to all groups and projects.

Feature flag can toggle this behavior for a specific group, or its the root ancestor group.

References

Screenshots or screen recordings

Before (or with FF disabled) After
CleanShot_2025-05-22_at_19.38.37_2x CleanShot_2025-05-22_at_19.38.13_2x

How to set up and validate locally

  1. In rails console enable the feature flag 
    Feature.enable(:security_policies_csp)
  2. Create a top-level group and designate it as CSP: 
    Security::PolicySetting.instance.update! csp_namespace: Group.find(<group_id>)
  3. In the group, create a few security policies
  4. Create another top-level group
  5. Visit Secure -> Policies and verify that CSP policies are shown as well

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #541510 (closed)

Edited by Martin Cavoj

Merge request reports