Research proposal: Permissions and Roles
Background
Custom roles are highly requested as our permission system wasn't suited to lots of use cases. Customers were having to assign master
to lots of users which made them uncomfortable with the level of permissions granted.
We've improved this by improving protected branches to help lock down ability to push or merge code, as well as to control who can remove those restrictions.
Additionally, large organizations with regulatory requirements sometimes want to be able to enforce separation between users who can write code and those that can deploy it. The sometimes want a special role just for managing people that doesn't give code access, and might want other specific roles we don't currently offer.
What questions are you trying to answer?
- Determine if we need non-hierarchical roles. These might add things like
+Code
,+Manage People
,+Deploy
and would be in addition to existing Reporter/Developer/Master style roles. - Determine what these non-hierarchical roles should be. If we can effectively categorise these we might be able to keep permissions simple while going most of the way towards fully customizable roles.
- (Maybe) Determine what types of organizations need these, to help decide if this is something we should have in
Core
or if it makes more sense inGitLab Starter
. - Determine if we will still need full customization after that. Organizations with complicated audit requirements might need this, and say things like "So far, my auditors have identified about 15 or 16 different roles we would need" from https://gitlab.com/gitlab-org/gitlab-ce/issues/12736#note_16266860
- (Maybe) Determine what kind of organisations would need full customization. My gut expectation is that if we can make other improvements then full customization might only be needed by the kind of organizations that otherwise say things like "Oh well, back to evaluating the insanely expensive GitHub, and most likely have to go with PerForce at 10x the price." On the other hand it is possible that we haven't properly understood the requirements of some smaller organizations, so it would be good to find examples of any that would need full customization.
- Do we need to make users more aware of protected branches when they are trying to set up permissions?
What assumptions do you have?
- My assumption about non-hierarchical roles solving this might be wrong, there could be better solutions.
- I've assumed that a significant portion of the 200+ users voting for custom roles are still looking for improvements, but protected branch improvements might have solved it for most of them. Similarly I've assumed that most of them could be helped by a something like non-hierarchical roles, but it is possible that most of them really are asking for full customization.
Ultimately, what would you like to get out of the research?
Better understanding of how organizations would like to split permission, and how we can make this simple for them.
What's the latest date that the research will still be useful to you?
An issue was created to add an Operator
role 10 months ago, which @bikebilly recently give the %11.0 milestone.
I wouldn't know if we've scheduled any more general improvements, but customers who don't fit our existing model find it frustrating.
From a technical standpoint I don't think we're ready to add the complexity of full customization, so that side of this might be more useful 6 months from now.
Methodology
Survey research with users from the GitLab Research panel.
Progress
-
Write survey questions [Deadline: Tues June 12th] -
Import survey questions into SurveyMonkey [Deadline: Weds June 13th] -
Write email to accompany survey [Deadline: Weds June 13th] -
Test survey logic [Deadline: Weds June 13th] -
Distribute survey to a test sample of users from the research panel [Deadline: Thurs June 14th] -
Review answers and make any necessary amendments [Deadline: Fri June 15th] -
Distribute survey to the rest of the research panel [Deadline: Fri June 15th] -
Close survey [Deadline: Mon June 25th] -
Cleanse data [Deadline: Weds Jun 27th] -
Purchase Amazon vouchers, conduct prize draw and contact winners [Deadline: Fri Jun 29th] -
Analyse survey results [Deadline: Mon Jul 2nd] -
Write up findings into a report [Deadline: Fri Jul 6th] -
Update relevant issues in the CE project [Deadline: Fri Jul 6th] -
Add the report to the UX Research Archive [Deadline: Mon Jul 9th]
Related
- Custom roles (https://gitlab.com/gitlab-org/gitlab-ce/issues/12736)
- Proposal for an Operator Role (https://gitlab.com/gitlab-org/gitlab-ee/issues/1896)
- An idea how we might implement custom roles if it becomes necessary (https://gitlab.com/gitlab-org/gitlab-ee/issues/5626#note_68172882)
- Some quotes from customers who will be partially helped by improvements to protected branches (https://gitlab.com/gitlab-org/gitlab-ee/issues/5496#note_67775311)