Allow CSP Frameworks to be assigned to projects by other root groups

Jean van der Waltrequested to merge
556639-allow-csp-frameworks-to-be-assigned-to-projects-by-other-root-groups into master

What does this MR do and why?

Makes the CSP frameworks visible to other top-level groups so that they can then be enforced in projects later.

How to set up and validate locally

Ensure you have a local setup with an ultimate license, and at least two top level groups.

Setup Group with CSP flag.

  1. Enable the feature flags:

    Feature.enable(:security_policies_csp)
Feature.enable(:include_csp_frameworks)

  2. Create a top-level group and assign it as a CSP using rails console:

    Security::PolicySetting.instance.update! csp_namespace: Group.find(<group_id>)

Now navigate to your CSP Group(example for gitlab-org/gitlab-test) to the Compliance Frameworks page and create a new framework. Making sure to at least supply a name name, description and color.

When finished click on "Create Framework".

Now navigate to the Compliance Center for a different top-level group that is not the CSP Group, the framework will be visible there as well.

Go to the projects tab, and underneath action click the pen icon and assign your newly created CSP Group framework to the project.

Go back to the framework landing page, the framework should now reflect that the project is associated to it.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #556290

Edited by Jean van der Walt

Merge request reports