Authentication and Authorization Group

1. You are here:
2. Engineering
3. Development Department
4. Dev Sub-department
5. Manage Stage
6. Authentication and Authorization Group

Maintained by:

On this page

• Manage:Authentication and Authorization
• How we work
  • Prioritization
  • Cross-functional Backlog
  • Merged Merge Request Types
  • Organizing the work
    • Backlog management
      • Refinement
      • Next Up
    • Breaking down or promoting issues
    • Managing discussions, information, decisions, and action items in an issue.
  • Estimation
    • Implementation Approach
  • Planning
  • During a release
  • Proof-of-concept MRs
• Working on unscheduled issues
• Additional considerations
  • Code Review
  • Security Rota
  • Refinement
• Meetings
• Group Members
• Dashboards
• Links and resources

Manage:Authentication and Authorization

How we work

• In accordance with our GitLab values.
• Transparently: nearly everything is public, we record/livestream meetings whenever possible.
• We get a chance to work on the things we want to work on.
• Everyone can contribute; no silos.
  • The goal is to have product give engineering and design the opportunity to be involved with direction and issue definition from the very beginning.
• We do an optional, asynchronous daily stand-up in our group stand-up channel:
  • Manage:Authentication and Authorization #g_manage_auth_daily

Prioritization

Our priorities should follow overall guidance for Product. This should be reflected in the priority label for scheduled issues:

Cross-functional Backlog

(Sisense↗) We also track our backlog of issues, including past due security and infradev issues, and total open SUS-impacting issues and bugs.

Merged Merge Request Types

(Sisense↗) MR Type labels help us report what we're working on to industry analysts in a way that's consistent across the engineering department. The dashboard below shows the trend of MR Types over time and a list of merged MRs.

Organizing the work

We generally follow the Product Development Flow:

1. workflow::problem validation - needs clarity on the problem to solve
2. workflow::design - needs a clear proposal (and mockups for any visual aspects)
3. workflow::solution validation - needs refinement and acceptance from engineering
4. workflow::planning breakdown - needs a Weight estimate
5. workflow::scheduling - needs a milestone assignment
6. workflow::ready for development
7. workflow::in dev
8. workflow::in review
9. workflow::verification - code is in production and pending verification by the DRI engineer

Generally speaking, issues are in one of two states:

• Discovery/refinement: we're still answering questions that prevent us from starting development,
• Implementation: an issue is waiting for an engineer to work on it, or is actively being built.

Basecamp thinks about these stages in relation to the climb and descent of a hill.

While individual groups are free to use as many stages in the Product Development Flow workflow as they find useful, we should be somewhat prescriptive on how issues transition from discovery/refinement to implementation.

Backlog management

Backlog management is very challenging, but we try to do so with the use of labels and milestones.

Refinement

The end goal is defined, where all direct stakeholders says “yes, this is ready for development”. Some issues get there quickly, some require a few passes back and forth to figure out.

The goal is for engineers to have buy-in and feel connected to the roadmap. By having engineering included earlier on, the process can be much more natural and smooth.

To do so, engineering managers, engineers, and designers can be pinged directly from the issue. We're currently exploring converting the Manage project into a group to be able to create groups to more easily ping group members.

To find issues that require refinement, please see the Next Up label and its purpose.

Next Up

• To identify issues that need refinement, use the "Next Up" label.
  • The purpose of the "Next Up" label is to identify issues that are currently in any workflow stage before workflow::ready for development. By using this "Next Up" label in addition to workflow labels, we're able to see exactly what is being refined, e.g., problem, design, solution. This helps identify which issues are closer to being ready to schedule.
• Issues shouldn't receive a milestone for a specific release (e.g. 13.0) until they've received a 👍 from both Product and Engineering. This also means the issue should not be labeled as workflow::ready for development.
  • Product approval is represented by an issue moving into workflow::planning breakdown.
  • Engineering approval is represented by an issue weight measuring its complexity.

Breaking down or promoting issues

Depending on the complexity of an issue, it may be necessary to break down or promote issues. A couple sample scenarios may be:

• We need to do discovery on the design, before we do anything else. A "Discovery:" issue may work best here as it helps to contain the design thinking and discussion there, with the end result being transferred over to a "Implementation:" issue. These prefixes also help to organize what type of issue they are, in the case they are linked to parent issues or epics.
• The scope of work is larger than anticipated, and needs to be broken down further, e.g., it currently has a weight higher than 5. It may suit you to then promote said issue to an epic, to break it down into smaller issues to list out the different iterations or phases of work that need to happen to deliver the overall feature that was originally proposed.
• The scope of work is clear, but a bit unwieldy for one issue. It may make sense to keep the given issue as is, to keep the conversation and activity visible to everyone, but create separate child design, backend, or frontend issues to track the more nuanced progress of a given issue.

If none of the above applies, then the issue is probably fine as-is! It's likely then that the weight of this issue is quite low, e.g., 1-2.

Managing discussions, information, decisions, and action items in an issue.

As part of breaking down or promoting issues, you may find that there are a significant number of threads and comments in a given issue.

It's very important that we make sure any proposal details, pending action items, and decisions are easily visible to any stakeholder coming into an issue. Therefore, it's paramount that the issue description is kept up-to-date, or otherwise broken down or promoted as per the above section.

Estimation

Before work can begin on an issue, we should estimate it first after a preliminary investigation.

If the scope of work of a given issue touches several disciplines (docs, design, frontend, backend, etc.) and involves significant complexity across them, consider creating separate issues for each discipline (see an example).

Issues without a weight should be assigned the "workflow::planning breakdown" label.

When estimating development work, please assign an issue an appropriate weight:

As part of estimation, if you feel the issue is in an appropriate state for an engineer to start working on it, please add the ~"workflow::ready for development" label. Alternatively, if there are still requirements to be defined or questions to be answered that you feel an engineer won't be able to easily resolve, please add the ~"workflow::blocked" label. Issues with the workflow::blocked label will appear in their own column on our planning board, making it clear that they need further attention. When applying the workflow::blocked label, please make sure to leave a comment and ping the DRI on the blocked issue and/or link the blocking issue to raise visibility.

Implementation Approach

For engineers, you may want to create an implementation approach when moving an issue out of ~workflow::planning breakdown. A proposed implementation approach isn't required to be followed, but is helpful to justify a recorded weight.

As the DRI for workflow::planning breakdown, consider following the example below to signal the end of your watch and the issues preparedness to move into scheduling. While more straightforward issues that have already been broken down may use a shorter format, the plan should (at a minimum) always justify the "why" behind an estimation.

The following is an example of an implementation approach from https://gitlab.com/gitlab-org/gitlab/-/issues/247900#implementation-plan. It illustrates that the issue should likely be broken down into smaller sub-issues for each part of the work:

### Implementation approach

~database

1. Add new `merge_requests_author_approval` column to `namespace_settings` table (The final table is TBD)

~"feature flag"

1. Create new `group_merge_request_approvers_rules` flag for everything to live behind

~backend

1. Add new field to `ee/app/services/ee/groups/update_service.rb:117`
1. Update `ee/app/services/ee/namespace_settings/update_service.rb` to support more than just one setting
1. *(if feature flag enabled)* Update the `Projects::CreateService` and `Groups::CreateService` to update newly created projects and sub-groups with the main groups setting
1. *(if feature flag enabled)* Update the Groups API to show the settings value
1. Tests tests and more tests :muscle:

~frontend

1. *(if feature flag enabled)* Add new `Merge request approvals` section to Groups general settings
1. Create new Vue app to render the contents of the section
1. Create new setting and submission process to save the value
1. Tests tests and more tests :muscle:

Once an issue has been estimated, it can then be moved to workflow::scheduling to be assigned a milestone before finally being workflow::ready for development.

Planning

We plan in monthly cycles in accordance with our Product Development Timeline. While meeting this timeline is up to the discretion of individual groups, a typical planning cycle is suggested to look like:

• By the 4th, Product should have created a planning issue for their group in the Manage project for the coming release.
  • This issue should include a tentative plan for the release, along with links to boards that represent the proposed work for the milestone. Please see examples from Fulfillment, Manage, and Create!
  • Issues without estimates should have the workflow::planning breakdown label applied to make estimation easier and be marked for the coming release as Deliverable. Issues of particular significance to our stage's strategy should be marked with direction.
  • At this stage, the Product Manager applies the quad-planning::ready label to all feature issues and assigns them to the SET counterpart for the group.
  • Identify any issues which may have security implications, and ping the Application Security Stable Counterpart and/or request an Application Security Review. The Product Manager will list these in the planning issue.
  • To review the proposed scope and kick start estimation, synchronous meetings with Engineering and Design are recommended.
• By the 12th, all planned issues proposed for the next release should be estimated by engineering (workflow:ready for development).
  • To assist with capacity planning, we track the cumulative weight of closed issues over the past 3 releases on a rolling basis. The proposed scope of work for the next release should not exceed 80% of this to account for slippage from the previous release.
  • After estimation, Product should make any needed adjustments to the proposed scope based on estimates. A synchronous meeting to review the final release scope is recommended.
• By the 20th, Product should review the release that just concluded development (currently, we transition development work from one release to the next on the 18th) for issues that slipped from the milestone. Please evaluate issues that weren't merged in time and reschedule them appropriately.

During a release

• When an issue is introduced into a release after Kickoff, an equal amount of weight must be removed to account for the unplanned work.
• Development should not begin on an issue before it's been estimated and given a weight.
• By the 15th, engineering merge requests should be merged. In other words, we assume code merged after the 15th will not be in the release. That allows time for the release to be finalized, and any associated Release Posts to be merged by the 17th. (This is an experiment starting with 13.11.)

Proof-of-concept MRs

We strongly believe in Iteration and delivering value in small pieces. Iteration can be hard, especially when you lack product context or are working in a particularly risky/complex part of the codebase. If you are struggling to estimate an issue or determine whether it is feasible, it may be appropriate to first create a proof-of-concept MR. The goal of a proof-of-concept MR is to remove any major assumptions during planning and provide early feedback, therefore reducing risk from any future implementation.

• Create an MR, prefixed with PoC: .
• Explain what problem the PoC MR is trying to solve for in the MR description.
• Timebox it. Can you determine feasibility or a plan in less than 2-3 days?
• Identify a reviewer to provide feedback at the end of this period.
• Close the MR. Provide a summary in the original issue on what you learned from the PoC, including product and performance implications.
  • State whether you are able to move forwards with implementation or not.
  • Please do not close the issue.

The need for a proof-of-concept MR may signal that parts of our codebase or product have become overly complex. It's always worth discussing the MR as part of the retrospective so we can discuss how to avoid this step in future.

Working on unscheduled issues

Everyone at GitLab has the freedom to manage their work as they see fit, because we measure results, not hours. Part of this is the opportunity to work on items that aren't scheduled as part of the regular monthly release. This is mostly a reiteration of items elsewhere in the handbook, and it is here to make those explicit:

1. We expect people to be managers of one, and we use GitLab ourselves. If you see something that you think is important, you can request for it to be scheduled, or you can work on a proposal yourself, as long as you keep your other priorities in mind.
2. From time to time, there are events that GitLab team-members can participate in, like the issue bash. Anyone is welcome to participate in these.

When you pick something to work on, please:

1. Follow the standard workflow and assign it to yourself.
2. Share it in #s_manage to encourage transparency

Additional considerations

Code Review

Access works on components of the application that have a far-reaching impact. Because only a simple change can cause widespread support tickets and/or production incidents, there is less room for error which requires us to take these extra steps:

1. Access merge requests will be assigned to another Access engineer for first review in order to build more institutional knowledge across the team
2. Access merge requests will include a comment that needs answered before merging, "Should this be behind a feature flag?" This is an effort to remind engineers about feature flag usage, but also to challenge reasoning as to why changes do not need to be behind a feature flag.
3. Merge requests that are specific to Linear Namespaces will require a feature flag with gradual rollouts, either by grouping the work behind a single flag or by using multiple flags

Security Rota

The Access group are responsible for several product categories that attract a significant amount of scrutiny from a security perspective. An outcome of this is that we see a higher number of new security issues being created compared to other groups, which over time has caused the security backlog to grow. To help tackle the backlog, from milestone 13.3, we will assign 2 Backend Engineers per milestone to a security rota.

The goal of this new process is to achieve more consistent progress in burning through the backlog. Historically we have focussed on solving high severity (severity::1/severity::2) issues, while trying to maintain a pragmatic balance with other concerns in the team - but this hasn't been effective in reducing the overall backlog. By dedicating capacity each milestone we can separate the planning of security issues from the main milestone goals, with the aim of introducing a more optimal process.

Engineers who are part of the rota should work from this board.

More information about security rota can be found here.

Refinement

To help with milestone planning, we encourage asynchronously weighing issues to help get them ready for development.

1. Engineering Managers will review the refinement board (see links below) on a weekly basis.
2. Each Engineer is assigned a few issues per week from the board to be weighed as per the estimation process. Where possible, the people closest to the problem will be assigned.
3. The Engineer assesses issue to determine if it is workflow:ready for development or not. Clarifying questions are asked on the issue. Product Manager adjusts description and scope as needed. This process may take a few days and the objective is to have an issue defined well enough to be estimated.
4. Once all questions are answered and the issue description is updated, Engineering assigns a weight to the issue.
5. To encourage collaboration, the Engineer will pick someone else from the team (at random) to review the discussion.
6. If the reviewer is happy with the weight and scope they will set the workflow:ready for development label. Alternatively they should raise their concerns in the issue. If the proposal is changed, the issue description should be updated.

Meetings

Although we have a bias for asynchronous communication, synchronous meetings are necessary and should adhere to our communication guidelines. Some regular meetings that take place in Manage are:

For one-off, topic specific meetings, please always consider recording these calls and sharing them (or taking notes in a publicly available document).

Agenda documents and recordings can be placed in the shared Google drive (internal only) as a single source of truth.

Meetings that are not 1:1s or covering confidential topics should be added to the Manage Shared calendar.

All meetings should have an agenda prepared at least 12 hours in advance. If this is not the case, you are not obligated to attend the meeting. Consider meetings canceled if they do not have an agenda by the start time of the meeting.

Group Members

Auth group members who are part of the Authentication and Authorization group can be @ mentioned on GitLab with @gitlab-org/manage/authentication-and-authorization.

The following people are permanent members of the group:

Dashboards

• SAML SSO Usage
• Backend overview
• Usage ping

Links and resources

• Stage links
  • Discussions and issues are located at gitlab-org/manage
  • General Slack #s_manage
  • General frontend Slack #s_manage-fe
  • Social channel #manage-social
  • Engineering Manager Slack #s_manage_ems
  • Agendas and notes from stage meetings can be found in this Google Doc. For transparency across the stage, we use one agenda document.
• Milestone retrospectives
• Our Slack channels
  • Manage:Authentication and Authorization #g_manage_auth
  • Daily standups #g_manage_auth_daily
• Issue boards
  • Access build board and refinement board