### Problem to Solve Organizations who want to maintain a separation of duties often have a particular set of personnel who own developing code and a separate set of those who can deploy code. The current permission paradigm in GitLab makes it challenging to give non-code contributors access to approve merge requests for deployment and to actually deploy code. ### User experience goal Users that have no access to modify the code (Reporters) ought to still be able to Approve MRs and Deploy to Protected Environments when they are designated as approvers or deployers **Scenario**: Developers (with developer access) to a project ought to be allowed to develop, push/merge into protected branches but NOT deploy to production. This is accomplished by pairing Protected Branches and Protected Environments with an externalized CI YAML. Managers or Operators (with reporter access) to a project sometimes need to be required approvers of an MR before a merge to a protected branch commences. These managers/operators ought not be allowed to push/merge any code to any branches but. The only users that are able to "Approve" a Merge Request are users that can also push/merge code. This prevents the MR Approvers from having segregation of duties. ### Proposal 1. Allow reporters to approve MRs if they are explicitly listed in the approval rules - https://gitlab.com/gitlab-org/gitlab/-/issues/225485 1. Allow reporters to run jobs that deploy to an environments if they are explicitly listed - https://gitlab.com/gitlab-org/gitlab/-/issues/225482