Allow all users within a group to view all compliance frameworks
What does this MR do and why?
- Allows all members of a namespace (groups, and all subgroups) to read all information about all compliance frameworks within that root group.
- Splits the
:manage_compliance_framework
policy in to:manage_compliance_framework
and:read_compliance_framework
.- Root namespace owners can still
:manage_compliance_framework
as before. - Any member of that group or subgroups can now
:read_compliance_framework
too. Previously they couldn't, which led to some strange things:- Subgroup maintainers that were not root group owners could see the "Compliance Framework" heading in the group settings page, but could not see the frameworks themselves. An error was displayed.
- Subgroup users of all types could see the names of compliance frameworks in the UI when they were in use, but couldn't list them in the GraphQL API. There was no reason not to allow this.
- Root namespace owners can still
- Rewrites many of the specs to make it clear that the
namespace
that a compliance framework belongs to should be a group namespace, not a user namespace. Will create a follow-up to enforce this at the model level.
How to set up and validate locally
Reproduction steps available on the bug issue: #349933 (closed)
But, tl;dr:
- Root-group owners should be able to create/update/delete/read all compliance frameworks.
- All users within the root group and all subgroups should be able to read all compliance frameworks.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #349933 (closed)
Edited by Max Woolf