New Audit Event: Add Audit Event for changing protection on an environment
Release notes
GitLab now records an audit event when the protected status of an environment is updated. This is helpful for auditing any changes to the deployment process, since protected environments are typically used for deploying code to special environments such as production.
Problem to solve
Customers using protected environments need to be able to audit when protections were added or removed.
Intended users
When Environments are either protected or unprotected, an audit record should be generated as is done for protected branches. The user shouldn't experience anything different but an audit record should be logged.
Proposal
As a company moves from the Single User experience to the Invite Other Users and Adopt All Features stages, they may include projects and environments that need to be protected. Since removing protections has potentially harmful effects on the security of the environment, these events need to be logged.
Further details
Permissions and Security
When a Maintainer or Owner protects or unprotects an environment, an audit record should be generated.
Documentation
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Buyer Personas: CISO, Director - Risk Mgt Enterprise Tier: Premium
Is this a cross-stage feature?
Implementation plan
See Audit Event Guide for details on implementation of Audit events.
Relevant services:
ProtectedEnvironments::CreateService
ProtectedEnvironments::UpdateService
ProtectedEnvironments::DestroyService
Protected environment settings can be changed via API or UI. Both methods of changing should generate an audit event.
-
Audit events for project-level protected environments -
Audit events for group-level protected environments