Disable self-approval at the Instance level
Problem to solve
Compliance-minded organizations rely on specific controls within GitLab to adhere to internal company policies and legal or regulatory compliance frameworks. An issue encountered by Administrators
of a GitLab instance is an Owner
can modify the merge request approvals settings for a project they own, enabling them to push code into production and then re-enable the merge request approvals settings. This creates a gap in the separation of duties and access controls policies for an organization and introduces risk to a production environment.
Further details
To ensure at least two people review a merge request other than the author and committers, two settings exist:
- Prevent approval of merge requests by merge request author
- Prevent approval of merge requests by merge request committers
But, the maintainer or owner can change these. This makes it possible to bypass this restriction in secure environments where this needs to be the case without exception for every project.
This MVC should focus only on implementing instance-level settings and follow with an iterative addition to control these settings at the group level.
Proposal
Introduce settings at the instance level, in Rules
(formerly Push Rules
) under Merge request approvals
, to restrict the three most important merge request approvals settings at the project level:
- Prevent approval of merge requests by merge request author
- Prevent approval of merge requests by merge request committers
- Approvers List
- This would restrict all action items such as "Edit", "Delete", or "Add"
- This would restrict "Can override approvers and approvals required per merge request"
At the Project
level, these settings should only be editable by Administrators
, but still be visible to non-admins for information purposes.
If the restriction is enabled at the instance level, only an admin may override the setting at the group or project level.