User access policy for Production environment
Production env is a special one, sometimes we could have even several envs that we use as a production. But gitlab roles initial were designed for developers and now gitlab is growing with issue board, project management and deployment.
So it will be good to assign special tag prod to the environments and set up per user basis access to env with such tags. It will include rights to trigger manual action for deployment and editing environment.
It is another then just restrict trigger manual actions on protected branches to master role.
Because it could be only two person from a team (that are not developers) who responsible for deployment to prod, so it is good to assign them on user basis instead of role. Of course, owner role still should have permission to work with prod env.
Use open-source Open Policy Management https://www.openpolicyagent.org/ in order to define users that allowed to deploy to production