Skip to content

Use instance MR approval settings on compliance projects

What does this MR do?

This MR allows instance-level MR approval settings overrides on compliance projects.

The MR to allow recording the compliance framework scoping of these instance-level settings is done in !33923 (merged)

Relates to #219359 (closed)

Feature flag

This feature is under a feature flag: project_compliance_merge_request_approval_settings

Design notes

This MR adds flows highlighted in orange as below.

graph LR
  a[Project] --> b0{Licensed?}

  b0 -->|Enabled| b1{Feature flag?}
  b0 -->|Disabled| c1[Use project-level]

  b1 -->|Enabled| b{Compliance?}
  b1 -->|Disabled| c2(Existing behaviour)

  b -->|Yes| c{Regulated?}
  b -->|No| d[Use project-level]

  c -->|Yes| e[Use instance-level]
  c -->|No| f[Use project-level]

  classDef orange fill:#FDBC60;
  class b1,b,c,d,e,f orange;

Screenshots

Apply to framework

Instance Level Project Level
Screen_Shot_2020-06-15_at_10.01.10_pm Screen_Shot_2020-06-15_at_10.01.28_pm

Do not apply to framework

Instance Level Project Level
Screen_Shot_2020-06-15_at_10.18.37_pm Screen_Shot_2020-06-15_at_10.19.25_pm

Looking closely at the above screenshots:

  1. When the compliance framework label (PCI-DSS) is selected on instance-level/ or the project is assigned the label, the instance-level MR approval settings will be the SSOT and the project-level control is disabled.
  2. When the compliance framework label (PCI-DSS) is de-selected on instance-level/ or the project is unassigned the label, the project-level MR approval settings will be the SSOT and the project-level control is enabled.

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • [-] Label as security and @ mention @gitlab-com/gl-security/appsec
  • [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • [-] Security reports checked/validated by a reviewer from the AppSec team
Edited by Tan Le

Merge request reports