Skip to content

Fixes issues with displaying compliance frameworks

Max Woolf requested to merge 325988-compliance-frameworks-fixes into master

What does this MR do?

  • Splits the admin_compliance_framework policy to create a new policy: read_compliance_frameworks to address the below scenario.
  • Users who are subgroup owners but not owners of the root ancestor cannot create/delete/update compliance frameworks (by design, this is not a bug), but currently are presented with a UI that suggests that they can.
  • Updates the frontend to reflect this. (Removes edit/delete/add buttons, the backend was already preventing them from performing these actions.)
  • On the group settings page for a subgroup, updated the GraphQL query to query the root ancestor. Subgroups never have compliance frameworks, they're always created at the root of the group hierarchy.

Screenshots (strongly suggested)

Empty set

The link in the description links to the root ancestor's member list ordered by max level descending (owners first.) (h/t @aregnery)

Root Ancestor Owner Sees Root Ancestor Non-Owner Sees
Screenshot_2021-03-29_at_10.25.54 Screenshot_2021-03-29_at_09.54.55

List

Root Ancestor Owner Sees Root Ancestor Non-Owner Sees
Screenshot_2021-03-29_at_11.21.52 Screenshot_2021-03-29_at_09.54.13

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Related to #325988 (closed)

Merge request reports