Skip to content

Show CSP Group Frameworks for Top-Level Groups

Jean van der Waltrequested to merge
556290-show-csp-group-frameworks-for-top-level-groups into master

What does this MR do and why?

Makes the CSP frameworks visible to other top-level groups so that they can then be enforced in projects later.

How to set up and validate locally

Ensure you have a local setup with an ultimate license, and at least two top level groups.

Setup Group with CSP flag.

  1. Enable the feature flags:

    Feature.enable(:security_policies_csp)
Feature.enable(:include_csp_frameworks)

  2. Create a top-level group and assign it as a CSP using rails console:

    Security::PolicySetting.instance.update! csp_namespace: Group.find(<group_id>)

Now navigate to your CSP Group(example for gitlab-org/gitlab-test) to the Compliance Frameworks page and create a new framework. Making sure to at least supply a name name, description and color.

When finished click on "Create Framework".

Now navigate to the Compliance Center for a different top-level group that is not the CSP Group, the framework will be visible there as well.

In the same way we can test the update scenarios when updating a Framework by clicking on "Edit", updating a Requirement or adding additional Controls to an existing Requirement.

Lastly the deletion can be tested by clicking on the three dots next to the framework and and choosing "Delete".

In all scenarios the CSP Group changes should reflect in both the CSP Group and all other top-level groups.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #556290 (closed)

Edited by Jean van der Walt

Merge request reports