Create project-level policies framework for deny (Policies MVC)
Problem to solve
After exploring Policies, we should implement the MVC for this feature.
Proposal
Introduce the ability to create and apply a Policy to a project.
Creating a Policy
- A Policy should be definable in a structured way. This should be definable in the UI, not in a version controlled file that's harder for a non-technical user to manage.
- A Policy should include several elements:
- Effect: the effect that the Policy has on the given project. It should be able to
Allow
(present in the UI and allow a user to take anaction
if they meet thecondition
) orDeny
(do not present, do not allow a user to take theaction
if they meet thecondition
).- For this iteration:
Deny
only.
- For this iteration:
- Action: the action we want to allow or deny access to.
- For this iteration: hide/prevent access to any/all of the project Repository, Merge Requests, CI/CD, Operations, Security & Compliance, and Packages.
- Resource: the projects and groups this Policy applies to.
- For this iteration: we can omit this and map a Policy 1:1 to projects, instead of a 1 to many.
- Condition: a condition that, if met, results in the allowance or denial of the
action
for the user. We should be able to write conditions likeMember:operations-leads
to check if a member is a group to allow/disallow something.- For this iteration: do a simple check of a user's group membership. I should be able to write a project Policy that checks if a user is a member of a particular group.
- Effect: the effect that the Policy has on the given project. It should be able to
The use case we are trying to solve for is separation of concerns: some organizations want to separate Dev and Ops in their organization into dedicated roles. The proposal would allow this to happen by:
- Creating a separate group for the Operations team,
- Creating a Policy to deny access to the project's Repository if a project member belongs to the Operations group,
- Applying the Policy to any relevant projects.
Policy UX (TBD)
- There's a possible gap between what the documentation says I should be able to do vs. what a Policy is allowing me to do on a project.
- Whenever this gap exists, explain this to the user:
- Create a perceptible affordance via an icon or banner on relevant pages.
An example, may be the project settings page:
Links / references
Edited by Melissa Ushakov