diff --git a/ee/app/models/approval_rules/approval_group_rule.rb b/ee/app/models/approval_rules/approval_group_rule.rb
index 6851d9ee4d2f10c750121b36d9af46c9176fbd25..49618c2b9384bc8a71345b458f7f66edac177e9a 100644
--- a/ee/app/models/approval_rules/approval_group_rule.rb
+++ b/ee/app/models/approval_rules/approval_group_rule.rb
@@ -21,6 +21,7 @@ class ApprovalGroupRule < ApplicationRecord
       scope: :group_id,
       message: proc { _('any-approver for the group already exists') }
     }, if: :any_approver?
+    validates :group, presence: true, top_level_group: true
 
     def audit_add(_model)
       # currently no audit on group add, only on project.
diff --git a/ee/spec/models/approval_rules/approval_group_rule_spec.rb b/ee/spec/models/approval_rules/approval_group_rule_spec.rb
index dd2ed0fbaee8a14b8889a504e03a6a996dc9d665..f2a8886bef741dcf42bb3d8088fa124da5dbe622 100644
--- a/ee/spec/models/approval_rules/approval_group_rule_spec.rb
+++ b/ee/spec/models/approval_rules/approval_group_rule_spec.rb
@@ -23,6 +23,23 @@
           'Validation failed: Applies to all protected branches must be enabled.')
       end
     end
+
+    context 'for groups' do
+      let_it_be(:parent) { create(:group) }
+      let_it_be(:child) { create(:group, parent: parent) }
+
+      it 'supports top level groups' do
+        group_approval_rule.update!(group: parent)
+        expect(group_approval_rule.group).to eq(parent)
+      end
+
+      it 'child groups are not supported' do
+        expect do
+          group_approval_rule.update!(group: child)
+        end.to raise_error(ActiveRecord::RecordInvalid,
+          'Validation failed: Group must be a top level Group')
+      end
+    end
   end
 
   describe 'associations' do