Audit log when applying license policies and merging out-of-compliance licenses
Problem to solve
In license compliance, there are actions users take that are not logged and/or the user that took the actions is not visible. Example:
- When user adds a policy to
denyorallowlicenses. The user who made this selection is not identified. Both an accountability issue and also an issue when developers have questions: the DRI is unknown. - In the case that a user
approvesLicense-CheckorVulnerability-Check, there is no log of the approver (outside of the MR). In the case of anapprovedlicense that isdenied, this results in an out of compliance license being merged to the default branch. There is no log of this action nor who made this one-time approval. - In existing projects that have
deniedlicenses, only the MR that introduced that the license will show the user that committed it.
Therefore, users are not accountable to actions that are out of compliance.
Intended users
- Person responsible for legal and compliance
- Delaney (Development Team Lead)
- Sasha (Software Developer)
Further details
Proposal
Ensure accountability to users that make policies and/or approve out of compliance licenses (denied) to be merged. Additionally, informing users of the accountable user will provide developers with a DRI for questions and/or approvals needed.
- Identify the user that created a license policy
- Identify when a license has been
approvedbyLicense-Checkand who made the approval - Identify developer that introduced the out of compliance license
Permissions and Security
- All project members may see that accountable user in the UI
Documentation
...
Availability & Testing
...
What does success look like, and how can we measure that?
- Are developers are able to identify person accountable and/or creator of policies?
- Does this accountability measure enforce compliance more effectively? (since users actions and names are logged)
What is the type of buyer?
Links / references
Follow up issue based on discussions from #196845 (closed)