diff --git a/ee/app/controllers/projects/security/policies_controller.rb b/ee/app/controllers/projects/security/policies_controller.rb
index 183c24b45f059394e7c824289cbfe8fb98349a19..1fddd44dd519c6ec5b2ebd7307083726f849850b 100644
--- a/ee/app/controllers/projects/security/policies_controller.rb
+++ b/ee/app/controllers/projects/security/policies_controller.rb
@@ -5,7 +5,7 @@ module Security
class PoliciesController < Projects::ApplicationController
include SecurityAndCompliancePermissions
- before_action :authorize_security_orchestration_policies!
+ before_action :authorize_read_security_orchestration_policies!
before_action :validate_policy_configuration, only: :edit
before_action do
diff --git a/ee/app/graphql/mutations/security_policy/commit_scan_execution_policy.rb b/ee/app/graphql/mutations/security_policy/commit_scan_execution_policy.rb
index 320fe48edc908ac90a5693fa58e44fa2cb91ec77..803a05fd0bd34821cadc974798d383bd31371f9a 100644
--- a/ee/app/graphql/mutations/security_policy/commit_scan_execution_policy.rb
+++ b/ee/app/graphql/mutations/security_policy/commit_scan_execution_policy.rb
@@ -8,7 +8,7 @@ class CommitScanExecutionPolicy < BaseMutation
include FindsProjectOrGroupForSecurityPolicies
- authorize :security_orchestration_policies
+ authorize :read_security_orchestration_policies
argument :full_path, GraphQL::Types::String,
required: false,
diff --git a/ee/app/graphql/resolvers/concerns/resolves_orchestration_policy.rb b/ee/app/graphql/resolvers/concerns/resolves_orchestration_policy.rb
index b70c6cf3cefd008eff4e5fbff4bd791c2acf621a..741e54ba2eac0332185afeb904a1a909a27b5b77 100644
--- a/ee/app/graphql/resolvers/concerns/resolves_orchestration_policy.rb
+++ b/ee/app/graphql/resolvers/concerns/resolves_orchestration_policy.rb
@@ -14,7 +14,7 @@ module ResolvesOrchestrationPolicy
def authorize!
Ability.allowed?(
- context[:current_user], :security_orchestration_policies, policy_configuration.security_policy_management_project
+ context[:current_user], :read_security_orchestration_policies, policy_configuration.security_policy_management_project
) || raise_resource_not_available_error!
end
diff --git a/ee/app/policies/ee/group_policy.rb b/ee/app/policies/ee/group_policy.rb
index fa78f57379e2188b8c613c5112d7d161ca4774a2..716806303b8557c0dabe053d643329a13622dd9d 100644
--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -311,7 +311,7 @@ module GroupPolicy
end
rule { security_orchestration_policies_enabled & can?(:developer_access) }.policy do
- enable :security_orchestration_policies
+ enable :read_security_orchestration_policies
end
rule { security_dashboard_enabled & developer }.policy do
diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb
index 46e5f7e114458332e0cdae4f5f852f6355e76bc5..8270feaad939a7e105195e2b23f48ce8d06a4401 100644
--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -199,7 +199,7 @@ module ProjectPolicy
rule { can?(:read_project) & iterations_available }.enable :read_iteration
rule { security_orchestration_policies_enabled & can?(:developer_access) }.policy do
- enable :security_orchestration_policies
+ enable :read_security_orchestration_policies
end
rule { security_orchestration_policies_enabled & can?(:owner_access) }.policy do
diff --git a/ee/lib/ee/sidebars/projects/menus/security_compliance_menu.rb b/ee/lib/ee/sidebars/projects/menus/security_compliance_menu.rb
index 838accb780aefbccf3b2f7bbd8cce85667f19567..615ee9bef44354a8378dcfed940967d212287f0a 100644
--- a/ee/lib/ee/sidebars/projects/menus/security_compliance_menu.rb
+++ b/ee/lib/ee/sidebars/projects/menus/security_compliance_menu.rb
@@ -145,7 +145,7 @@ def threat_monitoring_menu_item
end
def scan_policies_menu_item
- unless can?(context.current_user, :security_orchestration_policies, context.project)
+ unless can?(context.current_user, :read_security_orchestration_policies, context.project)
return ::Sidebars::NilMenuItem.new(item_id: :scan_policies)
end
diff --git a/ee/lib/sidebars/groups/menus/security_compliance_menu.rb b/ee/lib/sidebars/groups/menus/security_compliance_menu.rb
index 4b112bd82c27d10cb258ff9c2c2cf720547d097a..24f72b3020601d09d03196cc6a8553240d7b3b1e 100644
--- a/ee/lib/sidebars/groups/menus/security_compliance_menu.rb
+++ b/ee/lib/sidebars/groups/menus/security_compliance_menu.rb
@@ -125,7 +125,7 @@ def scan_policies_menu_item
def group_level_security_policies_available?
Feature.enabled?(:group_level_security_policies, context.group, default_enabled: :yaml) &&
- can?(context.current_user, :security_orchestration_policies, context.group)
+ can?(context.current_user, :read_security_orchestration_policies, context.group)
end
def audit_events_menu_item
diff --git a/ee/spec/policies/group_policy_spec.rb b/ee/spec/policies/group_policy_spec.rb
index ce9cd536b64c8a06a765ab91af3320e7117807a0..06ddb34452fe9808a77e5fe0213667bcd15493ed 100644
--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -922,7 +922,7 @@ def stub_group_saml_config(enabled)
with_them do
let(:current_user) { public_send(role) }
- it { is_expected.to be_allowed(:security_orchestration_policies) }
+ it { is_expected.to be_allowed(:read_security_orchestration_policies) }
end
end
@@ -932,7 +932,7 @@ def stub_group_saml_config(enabled)
with_them do
let(:current_user) { public_send(role) }
- it { is_expected.to be_allowed(:security_orchestration_policies) }
+ it { is_expected.to be_allowed(:read_security_orchestration_policies) }
end
end
end
@@ -1947,7 +1947,7 @@ def expect_private_group_permissions_as_if_non_member
with_them do
let(:current_user) { public_send(role) }
- it { is_expected.to be_disallowed(:security_orchestration_policies) }
+ it { is_expected.to be_disallowed(:read_security_orchestration_policies) }
it { is_expected.to be_disallowed(:update_security_orchestration_policy_project) }
end
end
@@ -1958,7 +1958,7 @@ def expect_private_group_permissions_as_if_non_member
with_them do
let(:current_user) { public_send(role) }
- it { is_expected.to be_disallowed(:security_orchestration_policies) }
+ it { is_expected.to be_disallowed(:read_security_orchestration_policies) }
it { is_expected.to be_disallowed(:update_security_orchestration_policy_project) }
end
end
@@ -1975,7 +1975,7 @@ def expect_private_group_permissions_as_if_non_member
with_them do
let(:current_user) { public_send(role) }
- it { is_expected.to be_allowed(:security_orchestration_policies) }
+ it { is_expected.to be_allowed(:read_security_orchestration_policies) }
it { is_expected.to be_disallowed(:update_security_orchestration_policy_project) }
end
end
@@ -1986,7 +1986,7 @@ def expect_private_group_permissions_as_if_non_member
with_them do
let(:current_user) { public_send(role) }
- it { is_expected.to be_allowed(:security_orchestration_policies) }
+ it { is_expected.to be_allowed(:read_security_orchestration_policies) }
it { is_expected.to be_allowed(:update_security_orchestration_policy_project) }
end
end
diff --git a/ee/spec/policies/project_policy_spec.rb b/ee/spec/policies/project_policy_spec.rb
index 4159d23b0c07662d8f8f1d031236d9aef68425fb..5a086fffbdc598b6c809a903f2b8268dfd427062 100644
--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -779,7 +779,7 @@
with_them do
let(:current_user) { public_send(role) }
- it { is_expected.to be_allowed(:security_orchestration_policies) }
+ it { is_expected.to be_allowed(:read_security_orchestration_policies) }
it { is_expected.to be_disallowed(:update_security_orchestration_policy_project) }
end
end
@@ -790,7 +790,7 @@
with_them do
let(:current_user) { public_send(role) }
- it { is_expected.to be_allowed(:security_orchestration_policies) }
+ it { is_expected.to be_allowed(:read_security_orchestration_policies) }
it { is_expected.to be_allowed(:update_security_orchestration_policy_project) }
end
end