# This Epic is currently on hold We are exploring a significant pivot in [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/234121), which is also linked in this epic's "Epics and Issues" list. We will close or rewrite this issue once we've concluded ~"workflow::solution validation" on https://gitlab.com/gitlab-org/gitlab/-/issues/234121. <details> <summary>Original Proposal</summary> <!-- The first four sections: "Problem to solve", "Intended users", "User experience goal", and "Proposal", are strongly recommended, while the rest of the sections can be filled out during the problem validation or breakdown phase. However, keep in mind that providing complete and relevant information early helps our product team validate the problem and start working on a solution. --> ### Problem to solve <!-- What problem do we solve? Try to define the who/what/why of the opportunity as a user story. For example, "As a (who), I want (what), so I can (why/value)." --> Some project settings or activity require additional scrutiny at compliance-minded organizations because changes to these areas can impact their compliance posture or introduce unnecessary risk to their GitLab groups and projects. For example, a customer may want to require a minimum of two approvals for merge requests, but might also want to provide an "escape hatch" for urgent deploys that need to bypass that process. Currently, there's no way for users to request, document, and obtain approval for sensitive changes they'd like to make to regulated projects. Please see [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/33260) for our discovery on this feature. ### Intended users * [Cameron (Compliance Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#cameron-compliance-manager) * [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator) ### User experience goal <!-- What is the single user experience workflow this problem addresses? For example, "The user should be able to use the UI/API/.gitlab-ci.yml with GitLab to <perform a specific task>" https://about.gitlab.com/handbook/engineering/ux/ux-research-training/user-story-mapping/ --> A `user` should be able to request approval to change sensitive settings, such as MR approval rules. An `owner` should be able to approve or deny a requested change. ### Proposal <!-- How are we going to solve the problem? Try to include the user journey! https://about.gitlab.com/handbook/journeys/#user-journey --> * Add a `Group` setting to enable/disable `Two-person approvals` for ([regulated](https://docs.gitlab.com/ee/user/project/settings/#compliance-framework-ultimate)) projects * Implement logic for `MR approval settings` (the same ones in https://gitlab.com/gitlab-org/gitlab/issues/39060) so that if `Two-person approvals` is `enabled`, then changes to those settings result in: * Add an entry to the `Approvals` view within the [Compliance Dashboard](https://gitlab.com/groups/gitlab-org/-/epics/2537) with [an `Approve` button](https://gitlab.com/gitlab-org/gitlab/-/issues/33260#note_300814680) instead of `Done` (maybe an `X` to dismiss or `Deny` the notification?) * The setting that was changed should only take effect if `Approved` * The setting that was changed should retain it's original value if `Denied` * The setting, from the perspective of the `requestor`, should have a visual indicator that it's "pending approval" * The person who changed the setting should receive a notification of the `Approval` or `Denial` - [ ] @aregnery add an end-to-end walk-through of the User Journey | Underlying Logic | Approval View (Compliance Dashboard) | | ------ | ------ | |  |  | ### Further details <!-- Include use cases, benefits, goals, or any other details that will help us understand the problem better. --> ### Permissions and Security <!-- What permissions are required to perform the described actions? Are they consistent with the existing permissions as documented for users, groups, and projects as appropriate? Is the proposed behavior consistent between the UI, API, and other access methods (e.g. email replies)?--> ### Documentation <!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/workflow.html#for-a-product-change * Add all known Documentation Requirements in this section. See https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements * If this feature requires changing permissions, update the permissions document. See https://docs.gitlab.com/ee/user/permissions.html --> ### Availability & Testing <!-- This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier. What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance. * Unit test changes * Integration test changes * End-to-end test change See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning --> ### What does success look like, and how can we measure that? <!-- Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. --> ### What is the type of buyer? <!-- What is the buyer persona for this feature? See https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/buyer-persona/ In which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#four-tiers --> ### Is this a cross-stage feature? <!-- Communicate if this change will affect multiple Stage Groups or product areas. We recommend always start with the assumption that a feature request will have an impact into another Group. Loop in the most relevant PM and Product Designer from that Group to provide strategic support to help align the Group's broader plan and vision, as well as to avoid UX and technical debt. https://about.gitlab.com/handbook/product/#cross-stage-features --> ### Links / references [→ Figma](https://www.figma.com/file/GAoH97ZexOuEK2GYeV2R6k/33260-Two-person-access-controls-for-sensitive-project-settings?node-id=115%3A1348) [→ Mural](https://app.mural.co/t/gitlab2474/m/gitlab2474/1581106572183/a9b550670276a8ef28888789b8f259a3cb1474ca) </details>