User access policy for Production environment
Problem
Production environments are special ones and sometimes we could have several environments that we use as a production. Currently, the growing GitLab roles leave the ability to edit environments and trigger a manual release to production vulnerable.
Feature Description
Leveraging tags, we could add a special tag to production environments. On a per role and per user basis, access to these tagged environments can be granted. Some of the rights could include:
- Trigger Manual Action for deploys on standard branches to per user + owner role
- Start deploy
- Stop deploy
- Trigger Manual Action for deploys on protected branches to master role + owner role
- Start deploy
- Stop deploy
- Edit environments to per user + owner role
- Change variables
Background
So it will be good to assign special tag prod to the environments and set up per user basis access to env with such tags. It will include rights to trigger manual action for deployment and editing environment.
It is another then just restrict trigger manual actions on protected branches to master role.
Because it could be only two person from a team (that are not developers) who responsible for deployment to prod, so it is good to assign them on user basis instead of role. Of course, owner role still should have permission to work with prod env.
Proposal
Use open-source Open Policy Management https://www.openpolicyagent.org/ in order to define users that allowed to deploy to production