Add "Manage CI/CD Settings" as a customizable permission

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Release notes

Group owners and project maintainers have the ability to manage CI/CD settings. This often leads to a user becoming overprivileged where they may not need other group or project destructive permissions. With the release of this permission, you can create a custom role to allow a Developer (or any base role) plus this permission to manage CI/CD settings.

Problem to solve

As organizations add users to their groups and projects, they are often forced to escalate privileges to achieve a specific permission. In this case, teams have to promote users to "Owner" for groups to manage variables + runners or for projects to promote to Maintainer without needing the other static role permissions. A few other specifics include:

1. Ability for maintainers to configure group runners and CI/CD variables without giving owner access. Users have to ask owners to make these changes or elevate privileges.
2. Allow the developer to manage CI/CD variables without promoting to Maintainer.
3. Developer leads needing to adjust CI/CD settings.

User experience goal

1. When creating a role, any base can be selected. A new permission is available and labeled as "Manage CI/CD Settings".
2. This role will allow a team member to edit any CI/CD settings under a group or project.
3. If the user role is assigned at the group level, they will be able to edit group CI/CD Settings and subgroup+projects CI/CD settings. This continues to follow the waterfall permission model.
4. If the user role is assigned at the project level, they will only see CI/CD settings for the project.

Intended users

• Sasha, Software Developer
• Rachel, Release Manager
• Priyanka, Platform Engineer
• Sidney, Systems Admin

Proposal

1. When creating a role, any base can be selected. A new permission is available and labeled "Manage Merge Request Settings" that can be selected.
2. The permission actions for admin_cicd_settings includes:

Group Actions	Project Actions
CI/CD Settings Variables (Create / Edit/ Delete) Runners AutoDevOps Protected Environments (Protect/Unprotect)	CI/CD Settings General Pipeline configuration AutoDevOps Protected Environment (Protect/Unprotect) Artifacts Variables (Create / Edit/ Delete) Pipeline Trigger Tokens Automatic Deployment Rollbacks Deploy Freezes Token Access Secure Files (Create / Edit/ Delete) Pipeline Subscriptions

1. As future CI/CD settings are released, these should be added to this permission admin_cicd_settings.
2. This will not include instance CI/CD settings.
3. Overtime, customers may request these resources to be fined grained. For example - today CI/CD variables is available and a future requests can come for artifacts.

Views+Workflows include:

• Base + permission: Can see Group-> Settings-> CI/CD settings
• Base + permission: Can see Project -> Settings -> CI/CD settings

APIs

• https://docs.gitlab.com/ee/api/project_level_variables.html
• https://docs.gitlab.com/ee/api/group_level_variables.html
• https://docs.gitlab.com/ee/api/protected_environments.html
• https://docs.gitlab.com/ee/api/group_protected_environments.html
• https://docs.gitlab.com/ee/api/pipeline_triggers.html
• https://docs.gitlab.com/ee/api/secure_files.html
• https://docs.gitlab.com/ee/api/graphql/reference/#mutationprojectcicdsettingsupdate

Documentation

• Permission Description: Configure CI/CD settings at the group or project level. Group actions include .... Project actions include .
• Update prerequisites for...

Evidence

• #391760 (comment 1518926356)
• #391760 (comment 1604646152)
• #391760 (comment 1418981684)