### Problem to solve Today users don't have the ability to separate out the duties between the engineering security teams in a way that adheres to the _Principle of Least Privilege_. Security teams need to be able to approve merge requests, but don't necessarily need to make changes directly to a code base. ### Intended users * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) * [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#alex-security-operations-engineer) ### Proposal 1. **add** the following customer permissions to a custom role (built on top of the Reporter role as a base): 1. `Approve Merge Requests` - admin\_\* 2. Today users can approve merge requests if they have Developer or higher permissions, are added as approvers at the project or merge request level, or are code owners of the files changed in the merge request. This change removes the requirement of a Developer role and requires the permission `Approve Merge Requests`. ### Further details - The new customizable roles framework permissions is _additive_ only. Instead of `Change vulnerability status` permission included as a part of both the `Developer` and `Maintainer` roles, users will need to do something like `Reporter` + `Change vulnerability status`. - admin\_\* is the equivalent of read/write, while read\_\* is the equivalent of read only. ### Documentation * [Merge request approval rules](https://docs.gitlab.com/ee/user/project/merge_requests/approvals/rules.html), also see [Eligible approvers](https://docs.gitlab.com/ee/user/project/merge_requests/approvals/rules.html#eligible-approvers) ### Availability & Testing ### Available Tier ~"GitLab Ultimate" ### Implementation Plan * [x] Create a database migration to add a `admin_merge_request` column to the `member_roles` table. * [x] Add condition `role_enables_admin_merge_request` to [project policy](https://gitlab.com/gitlab-org/gitlab/-/blob/2fba651fed4594c9ad7618888c038badb632befa/ee/app/policies/ee/project_policy.rb#L223-227). * [x] Add rule to enable `admin_merge_request` when the `role_enables_admin_merge_request` condition is satisfied. * [ ] Add a test to ensure this permission works in private projects as well as public projects. [example](https://gitlab.com/gitlab-org/gitlab/-/blob/380bb17bde22aac88aa61611d57095bb898cd0a2/ee/spec/features/merge_request/user_sees_approve_via_custom_role_spec.rb#L7) ### Verification Steps Use https://gitlab.com/custom-roles-root-group because it is a root group and has the `custom_roles` licensed feature. _This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc._