Add modify_security_policy permission
What does this MR do and why?
Addresses #381714 (closed)
Currently we have read_security_orchestration_policies
and update_security_orchestration_policy_project
permissions, but they denote the ability to read/update the policy project associated to a target project. We are using the same permission to check if a user had permission to create/update a policy which is misleading. This MR introduces a new permission modify_security_policy
that will be used to check if an user has access to create/update a security policy for a project/group.
graph TD
A{Does Project A have Security Policy Project assigned?} -->|Yes| B{Does given user have Developer/Maintainer Permissions to Security Policy Project?}
A{Does Project A have Security Policy Project assigned?} -->|No| C{Is given user an Owner of the Project A?}
C{Is given user an Owner of the Project A?} -->|Yes| D(User can create/modify policies)
C{Is given user an Owner of the Project A?} -->|No| E(User cannot create/modify policies)
B{Does given user have Developer/Maintainer Permissions to Security Policy Project?} -->|Yes| F(User can create/modify policies)
B{Does given user have Developer/Maintainer Permissions to Security Policy Project?} -->|No| G(User cannot create/modify policies)
Screenshots or screen recordings
Before | After |
---|---|
How to set up and validate locally
- Create a security policy project for a development project from
Security & Compliance
->Policies
->New Policy
- Give a second user Maintainer Access to both the newly created Security Policy Project and the Development Project.
- Log in as the second user and try to create or edit a security policy for the development project
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Sashi Kumar Kumaresan