Discovery: Two-person access controls for sensitive project settings
Overview
Making changes to important aspects of a project could result in significant changes. For compliance-minded organizations, this could pose an unacceptable security risk to have a single person in charge of these changes; beyond malicious activity, accidents are always a possibility when there's a single point of failure.
To solve for this, we should introduce a two-person control for sensitive changes that could result in data loss or the exposure of sensitive information.
Proposal
Original Proposal
- Introduce a two-person access control pattern to the General view in project settings.
- The use of two-person access controls should be configurable.
- Ultimate feature.
- Actions that could remove or expose sensitive information should require two Owners or administrators:
- Changing project visibility to a less restrictive setting,
- Changing feature availability,
- Removing merge request restrictions,
- Project removal.
- Add a
Group
setting to enable/disableTwo-person approvals
for (regulated) projects- Implement logic for
MR approval settings
(the same ones in #39060 (closed)) so that ifTwo-person approvals
isenabled
- Screenshot? @aregnery
- Implement logic for
- Add an entry to the
Approvals
view within the Compliance Dashboard with anApprove
andDeny
button- The setting that was changed should only take effect if
Approved
- The setting that was changed should retain it's original value if
Denied
- The setting, from the perspective of the
requestor
, should have a visual indicator that it's "pending approval" - The person who changed the setting should receive a notification of the
Approval
orDenial
- The setting that was changed should only take effect if
Additional details
- Actions that could qualify for two-person approval:
- Changing project visibility to a less restrictive setting
- Changing feature availability
- Removing merge request restrictions
- Project removal
More detail is needed here around how the workflow and UX might work for the user initiating a sensitive change and how other users become aware of the "second key" need and fulfill/reject the request.
Links & References
Edited by Austin Regnery