MVC: Apply "separation of duties" control to projects
Problem to solve
We're exploring this MVC in the discovery issue and this issue is a work in progress.
- Delaney (Development Team Lead)
- Sam (Security Analyst)
- Dana (Data Analyst)
- All management stakeholders who adhere to any auditing process. For example in a finance institution (Security, Quality, Development department heads)
The first compliance control we could implement could be separation of duties.
This MVC could provide a MR widget notification that separation of duties was maintained.
Add a Compliance Controls selection capability to the
Group settings. The MVC selection could be GCF Change Management 2.01 (CM.2.01) for Separation of Duties.
Helper text should indicate that GCF CM.2.01 is "aligned with SOC 2 CC8.1 and PCI-DSS 6.4".
On the backend, GitLab should attribute specific settings to "compliance" with this control. For example, the following settings being enabled are considered "compliant":
- Remove all approvals in a merge request when new commits are pushed to its source branch
- Prevent approval of merge requests by merge request author
- Prevent approval of merge requests by merge request committers
If these settings are enabled at the time of a MR approval, the MR widget should show a positive indicator (
If 1 or more of these settings is disabled, the MR widget should show a warning indicator (
|Group Settings||MR Widget|
|A settings area to specify the desired Compliance Controls to implement for a