Document Separation of Duties for Release Governance

Problem to solve

• What product or feature(s) affected? Release: Release Governance

• What docs or doc section affected? Compliance

Further details

The goal is to help support customers seeking to accomplish adequate separation of duties leveraging GitLab features. This will be for:

• Compliance personell
• Release managers
• DevOps roles

Proposal

This is an example pattern of using an externalized GitLab CI YAML for separation of duties. One could write that YAML one time and make it applicable for multiple projects.

• https://gitlab.com/gitlab-silver/tpoffenbarger/separation-of-duties
• https://gitlab.com/gitlab-silver/tpoffenbarger/separation-of-duties-deploy

Another couple of options, supported and non-supported, references to issues that would make this support possible, example and instructions at https://gitlab.com/gitlab-com/account-management/emea/eni/poc/tree/master/CI-CD#rp312-multi-repository-pipelines

Who can address the issue

• Anyone

Other links/references

• https://about.gitlab.com/handbook/engineering/security/guidance/CM.2.01_segregation_of_duties.html
• https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/783