diff options
Diffstat (limited to 'doc/user/compliance/compliance_dashboard/index.md')
| -rw-r--r-- | doc/user/compliance/compliance_dashboard/index.md | 42 |
1 files changed, 41 insertions, 1 deletions
diff --git a/doc/user/compliance/compliance_dashboard/index.md b/doc/user/compliance/compliance_dashboard/index.md index e7db73e25d9..5c05725d95b 100644 --- a/doc/user/compliance/compliance_dashboard/index.md +++ b/doc/user/compliance/compliance_dashboard/index.md @@ -17,7 +17,10 @@ for merging into production. To access the Compliance Dashboard for a group, navigate to **{shield}** **Security & Compliance > Compliance** on the group's menu. - + + +NOTE: **Note:** +The Compliance Dashboard shows only the latest MR on each project. ## Use cases @@ -34,3 +37,40 @@ You can use the dashboard to: - On [GitLab Ultimate](https://about.gitlab.com/pricing/) tier. - By **Administrators** and **Group Owners**. + +## Approval status and separation of duties + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/217939) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.3. + +We support a separation of duties policy between users who create and approve Merge Requests. +The approval status column can help you identify violations of this policy. +Our criteria for the separation of duties is as follows: + +- [A Merge Request author is **not** allowed to approve their Merge Request](../../project/merge_requests/merge_request_approvals.md#allowing-merge-request-authors-to-approve-their-own-merge-requests) +- [A Merge Request committer is **not** allowed to approve a Merge Request they have added commits to](../../project/merge_requests/merge_request_approvals.md#prevent-approval-of-merge-requests-by-their-committers) +- [The minimum number of approvals required to merge a Merge Request is **at least** two](../../project/merge_requests/merge_request_approvals.md#approval-rules) + +The "Approval status" column shows you, at a glance, whether a Merge Request is complying with the above. +This column has four states: + +| State | Description | +|:------|:------------| +| Empty | The Merge Request approval status is unknown | +|  | The Merge Request **does not** comply with any of the above criteria | +|  | The Merge Request complies with **some** of the above criteria | +|  | The Merge Request complies with **all** of the above criteria | + +If you do not see the success icon in your Compliance dashboard; please review the above criteria for the Merge Requests +project to make sure it complies with the separation of duties described above. + +## Chain of Custody report + +The Chain of Custody report allows customers to export a list of merge commits within the group. +The data provides a comprehensive view with respect to merge commits. It includes the merge commit SHA, +merge request author, merge request ID, merge user, pipeline ID, group name, project name, and merge request approvers. + +To download the Chain of Custody report, navigate to **{shield}** **Security & Compliance > Compliance** on the group's menu and click **List of all merge commits** + +NOTE: **Note:** +The Chain of Custody report download is a CSV file, with a maximum size of 15 MB. +The remaining records are truncated when this limit is reached. |