Currently, developers can read vulnerabilities (`read_vulnerability` and `read_security_resource`) and change their status (`admin_vulnerabity`). ng For custom roles, the requirement of a customer is that developers can `read` vulnerabilities but not edit them (= change their status). From a technical perspective, anyone who can `read_security_resource` can `admin_vulnerability`. It can be solved by adding a condition such as `read_security_resource & maintainer` enabling `admin_vulnerability` but we need to solve the possible breaking change problem. Right now there is no possibility to remove permissions for a custom role, only to add them. There is no plan to implement this in the near future. <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* ## Implementation Plan * [x] Remove [`:create_vulnerability_feedback`](https://gitlab.com/gitlab-org/gitlab/-/blob/17857f6fdf134fdf9256bb5708e5c50d035f11bf/ee/app/policies/ee/project_policy.rb#L375) from Developer role. https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136121 * [x] Remove [`:destroy_vulnerability_feedback`](https://gitlab.com/gitlab-org/gitlab/-/blob/17857f6fdf134fdf9256bb5708e5c50d035f11bf/ee/app/policies/ee/project_policy.rb#L376) from Developer role. https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136121 * [x] Remove [`:update_vulnerability_feedback`](https://gitlab.com/gitlab-org/gitlab/-/blob/17857f6fdf134fdf9256bb5708e5c50d035f11bf/ee/app/policies/ee/project_policy.rb#L377) from Developer role. https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136121 * [x] Create [feature flag](https://gitlab.com/gitlab-org/gitlab/-/issues/429122) to disable developer access. * [x] Do not enable `:admin_vulnerability` for Developer role when feature flag is enabled. ## Verification Steps 1. Enable the [`disable_developer_access_to_admin_vulnerability`](https://gitlab.com/gitlab-org/gitlab/-/issues/429122) feature flag on a Group actor. 2. Log in with an account that has `Developer` access to the group. 3. View the following pages to ensure that the logged in user cannot change the Vulnerability status: * [Pipeline Security Tab](https://gitlab.com/custom-roles-root-group/custom-roles-testing/-/pipelines/984494055/security) * Instance Level Vulnerability Report * [Group Level Vulnerability Report](https://gitlab.com/groups/custom-roles-root-group/-/security/vulnerabilities/) * [Project Level Vulnerability Report](https://gitlab.com/custom-roles-root-group/custom-roles-testing/-/security/vulnerability_report) * [Merge Request Security Widget](https://gitlab.com/custom-roles-root-group/custom-roles-testing/-/merge_requests/1) <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->