Skip to content

Add modify_security_policy permission

What does this MR do and why?

Addresses #381714 (closed)

Currently we have read_security_orchestration_policies and update_security_orchestration_policy_project permissions, but they denote the ability to read/update the policy project associated to a target project. We are using the same permission to check if a user had permission to create/update a policy which is misleading. This MR introduces a new permission modify_security_policy that will be used to check if an user has access to create/update a security policy for a project/group.

graph TD
    A{Does Project A have Security Policy Project assigned?} -->|Yes| B{Does given user have Developer/Maintainer Permissions to Security Policy Project?}
    A{Does Project A have Security Policy Project assigned?} -->|No| C{Is given user an Owner of the Project A?}
    C{Is given user an Owner of the Project A?} -->|Yes| D(User can create/modify policies)
    C{Is given user an Owner of the Project A?} -->|No| E(User cannot create/modify policies)
    B{Does given user have Developer/Maintainer Permissions to Security Policy Project?} -->|Yes| F(User can create/modify policies)
    B{Does given user have Developer/Maintainer Permissions to Security Policy Project?} -->|No| G(User cannot create/modify policies)

Screenshots or screen recordings

Before After
Screenshot_2023-01-19_at_1.45.21_PM Screenshot_2023-01-19_at_1.43.26_PM

How to set up and validate locally

  1. Create a security policy project for a development project from Security & Compliance -> Policies -> New Policy
  2. Give a second user Maintainer Access to both the newly created Security Policy Project and the Development Project.
  3. Log in as the second user and try to create or edit a security policy for the development project

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Sashi Kumar Kumaresan

Merge request reports

Loading