<!-- The first section "Release notes" is required if you want to have your release post blog MR auto generated. Currently in BETA, details on the **release post item generator** can be found in the handbook: https://about.gitlab.com/handbook/marketing/blog/release-posts/#release-post-item-generator and this video: https://www.youtube.com/watch?v=rfn9ebgTwKg. The next four sections: "Problem to solve", "Intended users", "User experience goal", and "Proposal", are strongly recommended in your first draft, while the rest of the sections can be filled out during the problem validation or breakdown phase. However, keep in mind that providing complete and relevant information early helps our product team validate the problem and start working on a solution. --> ### Release notes <!-- What is the problem and solution you're proposing? This content sets the overall vision for the feature and serves as the release notes that will populate in various places, including the [release post blog](https://about.gitlab.com/releases/categories/releases/) and [Gitlab project releases](https://gitlab.com/gitlab-org/gitlab/-/releases). " --> ### Problem to solve After discussing this feature, strictly speaking a shadow-banning functionality of sorts, with @tkuah , @marin, @gitlab-internal/trust-and-safety and @gitlab-com/gl-security/engineering-and-research/automation-team , it's become increasingly apparent that spam is particularly painful to us for two reasons: 1. The unrestrained nature of the way certain capabilities have been implemented in gitlab give abusers of all sorts the ability to bombard the infra with their objects of choice, choosing and misusing different ones over time. This, directly impacts our infrastructure and underlying sub-systems. 2. There is no straight-forward method for admins, or in our case @gitlab-internal/trust-and-safety , to efficiently and effectively deal with big amounts of spam retroactively, that is making abusive content unavailable, which has led to home-grown solutions such as https://gitlab.com/gitlab-com/gl-security/security-operations/trust-and-safety/bouncer or tissue trying to make-up for these limitations during clean-up. **Issue 1** affects the stability of our infrastructure and sub-systems composing gitlab as well as the experience of all tiers. To help alleviate this, there are already considerable ongoing efforts in https://gitlab.com/groups/gitlab-org/-/epics/5365 https://gitlab.com/gitlab-org/gitlab/-/issues/320890#note_511550273 https://gitlab.com/gitlab-org/gitlab/-/issues/320788#note_505663048 and others **Issue 2** considerably affects the usability of the product itself rendering features such as issue lists, boards, comment areas and more basically useless until spam is dealt with as well as damaging the company's reputation as a robust platform. This is the problem this feature would help us address. ### Intended users - @gitlab-internal/trust-and-safety - @gitlab-com/gl-security/engineering-and-research/automation-team - GitLab Administrators * [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator) * [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#alex-security-operations-engineer) ### User experience goal Improve administrators' ability to address abusive behavior and generated content. ### Proposal Implementing a first iteration of the shadow-banning functionality such that it allows admins on gitlab.com to: - block a user but also hide all their issues - block a user but also hide all their comments - providing the ability to do the above via API - a separate status is desired so that we can track and build ML/AI to automate spam user detection in the future Future iterations could include: - block a user and render all objects with a visibility property invisible to everyone but them Would enable admins and anti-abuse automations to: - retroactively clean issue, notes and other types of spam - and do so effectively and efficiently by simply identifying an abusive account - keep abusive data within gitlab for further investigation into TTPs being used by abusers - said data can be used to improve ML model training for abuse detection - allow us to iterate on our synchronous detection systems, which have done and will make mistakes, by allowing for an unproblematic clean-up - avoid deleting legitimate accounts which were misidentified as abusers and making the re-instantiation process painless ### Further details https://gitlab.com/groups/gitlab-org/-/epics/5365 https://gitlab.com/gitlab-org/gitlab/-/issues/103325 https://gitlab.com/gitlab-org/gitlab/-/issues/118829 ### Permissions and Security Admin permissions ### Documentation `TODO` ### Availability & Testing `TODO` <!-- This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier. What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance. * Unit test changes * Integration test changes * End-to-end test change See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning --> ### Available Tier Free ### What does success look like, and how can we measure that? Admins on gitlab.com can: 1. block a user but also hide all their issues 1. block a user but also hide all their comments 1. providing the ability to do the above via API 1. block a user and render all objects created by them with a visibility property invisible to everyone but them <!-- Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. Create tracking issue using the the Snowplow event tracking template. See https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Snowplow%20event%20tracking.md --> ### What is the type of buyer? <!-- What is the buyer persona for this feature? See https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/buyer-persona/ In which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#three-tiers --> ### Is this a cross-stage feature? Yes, we experience abuse in most stages although an initial iteration of this feature would focus on `plan` objects such as issues and notes. <!-- Communicate if this change will affect multiple Stage Groups or product areas. We recommend always start with the assumption that a feature request will have an impact into another Group. Loop in the most relevant PM and Product Designer from that Group to provide strategic support to help align the Group's broader plan and vision, as well as to avoid UX and technical debt. https://about.gitlab.com/handbook/product/#cross-stage-features --> ### Links / references <!-- Label reminders - you should have one of each of the following labels. Use the following resources to find the appropriate labels: - https://gitlab.com/gitlab-org/gitlab/-/labels - https://about.gitlab.com/handbook/product/categories/features/ -->