Security & Compliance Practitioner Custom Role -- Manage SPP & Compliance Framework Labels
### Release notes
### Problem to solve
Security and compliance teams are responsible for interpreting legal, security, and compliance requirements and identifying how to implement enforcement within their applications and their development processes. They must then also be able to monitor for any non-compliance and provide evidence of their compliance.
A current challenge for users leveraging Security Policies and/or Compliance Frameworks/Pipelines is that of access management and the control to establish and maintain the link between projects and security policy projects and compliance frameworks.
The importance of this will only increase as we unify Security Policies and Compliance Pipelines.
### Intended users
### User experience goal
1. Administrators of an organization's GitLab instance would be responsible for providing users with custom roles according to any onboarding flow leveraged by the company.
2. They would assign appropriate users a role such as "Security & Compliance Practitioner". Users of this role would have the ability to modify security and compliance links within the projects where they have a Maintainer+ role.
3. For any users that do not have this custom role, they would be prohibited from created, modifying, or deleting any security and compliance links.
4. If an organization does not have a large team, they may need to add these custom roles to other functional roles such as an Engineering Manager or whoever they choose to have the responsibility of maintaining security and compliance.
### Proposal
While we've considered approaches to address this problem from an individual feature standpoint (within security policies or compliance frameworks), leveraging the new [Customizable Roles & Permissions](https://gitlab.com/groups/gitlab-org/-/epics/4035 "Custom Roles and Permissions") capabilities, we should be able to leverage a framework to create a custom role that better enables security and compliance teams\*\* to maintain enforcement of who can enable, modify, or delete a link between a project and a security policy project or compliance framework.\*\*
We would customize the role as follows:
1. **add** the following customer permissions to a custom role (built on top of the Maintainer role as a base):
1. `Create/Delete a Security Policy Link` - admin\_\*
2. `Apply/Modify/Remove a Compliance Framework on a project` - admin\_\*
2. **Remove** the following permission from the current `Developer` and `Maintainer` roles:
1. `Create/Delete a Security Policy Link` - admin\_\*
2. `Apply/Modify/Remove a Compliance Framework on a project` - admin\_\*
3. Create a rake task that adds the above permissions to either the `Developer` and `Maintainer` roles for Ultimate customers using customizeable permissions.
[Granular Security Permissions](https://gitlab.com/groups/gitlab-org/-/epics/10684 "Granular Security Permissions") is a similar custom role that supports Threat Insights and leverages the framework to enable this role, however, adding these checks to that role appear to be out of scope currently. We may need to explore this as a new role, and consider any other capabilities that would be relevant.
{width="679" height="389"}
_Concept: if users could create custom roles and choose these permissions._
### Further details
### Permissions and Security
### Documentation
### Availability & Testing
### Available Tier
### Feature Usage Metrics
### What does success look like, and how can we measure that?
### What is the type of buyer?
### Is this a cross-stage feature?
1. This would leverage the framework maintained by the \~"group::authentication and authorization" team.
2. We would also want to coordinate across ~"devops::secure" and ~"devops::govern" to determine if other capabilities should be included in this custom role, especially ~"group::compliance" as one capability would be within their codebase.
### What is the competitive advantage or differentiation for this feature?
This may be the one missing link for ensuring compliance for organizations who want to manage compliance globally/centrally across a large organization. With GitLab's platform advantage, the global policy and compliance capabilities we offer are a huge differentiator for using GitLab, but this gap is a weakness in the value differentiation.
### Interested Customers
| SFDC | Tier | Current Seats |
|------|------|---------------|
| [Link](https://gitlab.my.salesforce.com/0016100000SEhkL?srPos=0&srKp=001) | ~"GitLab Ultimate" | 120 |
| [Link](https://gitlab.my.salesforce.com/0016100000NmTZW) | ~"GitLab Ultimate" ~SaaS | 1500 |
### Links / references
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
*This page may contain information related to upcoming products, features and functionality.
It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes.
Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.*
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
epic