Revert "Merge branch '273765-disallow-editing-project-level-mr-settings' into 'master'"

This reverts merge request !46637

doc/user/admin_area/merge_requests_approvals.md

@@ -5,29 +5,50 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 type: reference, concepts
 ---
 
-# Merge request approval rules **(PREMIUM ONLY)**
+# Instance-level merge request approval rules **(PREMIUM ONLY)**
 
 > Introduced in [GitLab Premium](https://gitlab.com/gitlab-org/gitlab/-/issues/39060) 12.8.
 
-Merge request approval rules prevent users from overriding certain settings on the project
-level. When enabled at the instance level, these settings are no longer editable on the
-project level.
+Merge request approvals rules prevent users overriding certain settings on a project
+level. When configured, only administrators can change these settings on a project level
+if they are enabled at an instance level.
 
 To enable merge request approval rules for an instance:
 
 1. Navigate to **Admin Area >** **{push-rules}** **Push Rules** and expand **Merge
-requests approvals**.
+   requests approvals**.
 1. Set the required rule.
 1. Click **Save changes**.
 
+GitLab administrators can later override these settings in a project’s settings.
+
 ## Available rules
 
 Merge request approval rules that can be set at an instance level are:
 
 - **Prevent approval of merge requests by merge request author**. Prevents project
-maintainers from allowing request authors to merge their own merge requests.
+  maintainers from allowing request authors to merge their own merge requests.
 - **Prevent approval of merge requests by merge request committers**. Prevents project
-maintainers from allowing users to approve merge requests if they have submitted
-any commits to the source branch.
-- **Prevent users from modifying merge request approvers list**. Prevents users from
-modifying the approvers list in project settings or in individual merge requests.
+  maintainers from allowing users to approve merge requests if they have submitted
+  any commits to the source branch.
+- **Can override approvers and approvals required per merge request**. Allows project
+  maintainers to modify the approvers list in individual merge requests.
+
+## Scope rules to compliance-labeled projects
+
+> Introduced in [GitLab Premium](https://gitlab.com/groups/gitlab-org/-/epics/3432) 13.2.
+
+Merge request approval rules can be further scoped to specific compliance frameworks.
+
+When the compliance framework label is selected and the project is assigned the compliance
+label, the instance-level MR approval settings will take effect and the
+[project-level settings](../project/merge_requests/merge_request_approvals.md#adding--editing-a-default-approval-rule)
+is locked for modification.
+
+When the compliance framework label is not selected or the project is not assigned the
+compliance label, the project-level MR approval settings will take effect and the users with
+Maintainer role and above can modify these.
+
+| Instance-level | Project-level |
+| -------------- | ------------- |
+| ![Scope MR approval settings to compliance frameworks](img/scope_mr_approval_settings_v13_5.png) | ![MR approval settings on compliance projects](img/mr_approval_settings_compliance_project_v13_5.png) |

ee/app/controllers/ee/admin/application_settings_controller.rb

@@ -6,6 +6,8 @@ module EE
       extend ::Gitlab::Utils::Override
       extend ActiveSupport::Concern
 
+      include ::Admin::MergeRequestApprovalSettingsHelper
+
       prepended do
         before_action :elasticsearch_reindexing_task, only: [:general]
 
@@ -52,6 +54,10 @@ module EE
           attrs += EE::ApplicationSettingsHelper.merge_request_appovers_rules_attributes
         end
 
+        if show_compliance_merge_request_approval_settings?
+          attrs << { compliance_frameworks: [] }
+        end
+
         if ::Gitlab::Geo.license_allows? && ::Feature.enabled?(:maintenance_mode)
           attrs << :maintenance_mode
           attrs << :maintenance_mode_message

ee/app/controllers/ee/projects_controller.rb

@@ -129,7 +129,7 @@ module EE
         attrs << :merge_requests_disable_committers_approval
       end
 
-      if can?(current_user, :modify_approvers_rules, project)
+      if can?(current_user, :modify_overriding_approvers_per_merge_request_setting, project)
         attrs << :disable_overriding_approvers_per_merge_request
       end
 

ee/app/helpers/admin/merge_request_approval_settings_helper.rb

+# frozen_string_literal: true
+
+module Admin
+  module MergeRequestApprovalSettingsHelper
+    def show_compliance_merge_request_approval_settings?
+      License.feature_available?(:admin_merge_request_approvers_rules)
+    end
+  end
+end

ee/app/models/compliance_management/framework.rb

@@ -66,6 +66,12 @@ module ComplianceManagement
     validates :color, color: true, allow_blank: false, length: { maximum: 10 }
     validates :namespace_id, uniqueness: { scope: :name }
 
+    def merge_request_approval_rules_enforced?
+      return false unless default_framework_definition
+
+      ::Gitlab::CurrentSettings.current_application_settings.compliance_frameworks.include?(default_framework_definition.id)
+    end
+
     def default_framework_definition
       strong_memoize(:default_framework_definition) do
         DEFAULT_FRAMEWORKS.find { |framework| framework.name.eql?(name) }

ee/app/models/ee/project.rb

@@ -256,6 +256,12 @@ module EE
       end
     end
 
+    def has_regulated_settings?
+      strong_memoize(:has_regulated_settings) do
+        compliance_framework_setting&.compliance_management_framework&.merge_request_approval_rules_enforced?
+      end
+    end
+
     def can_store_security_reports?
       namespace.store_security_reports_available? || public?
     end
@@ -679,8 +685,9 @@ module EE
     def disable_overriding_approvers_per_merge_request
       strong_memoize(:disable_overriding_approvers_per_merge_request) do
         next super unless License.feature_available?(:admin_merge_request_approvers_rules)
+        next super unless has_regulated_settings?
 
-        ::Gitlab::CurrentSettings.disable_overriding_approvers_per_merge_request? || super
+        ::Gitlab::CurrentSettings.disable_overriding_approvers_per_merge_request?
       end
     end
     alias_method :disable_overriding_approvers_per_merge_request?, :disable_overriding_approvers_per_merge_request
@@ -688,9 +695,9 @@ module EE
     def merge_requests_author_approval
       strong_memoize(:merge_requests_author_approval) do
         next super unless License.feature_available?(:admin_merge_request_approvers_rules)
-        next false if ::Gitlab::CurrentSettings.prevent_merge_requests_author_approval?
+        next super unless has_regulated_settings?
 
-        super
+        !::Gitlab::CurrentSettings.prevent_merge_requests_author_approval?
       end
     end
     alias_method :merge_requests_author_approval?, :merge_requests_author_approval
@@ -698,8 +705,9 @@ module EE
     def merge_requests_disable_committers_approval
       strong_memoize(:merge_requests_disable_committers_approval) do
         next super unless License.feature_available?(:admin_merge_request_approvers_rules)
+        next super unless has_regulated_settings?
 
-        ::Gitlab::CurrentSettings.prevent_merge_requests_committers_approval? || super
+        ::Gitlab::CurrentSettings.prevent_merge_requests_committers_approval?
       end
     end
     alias_method :merge_requests_disable_committers_approval?, :merge_requests_disable_committers_approval

ee/app/policies/ee/project_policy.rb

@@ -33,22 +33,10 @@ module EE
         !PushRule.global&.commit_committer_check
       end
 
-      with_scope :global
-      condition(:locked_approvers_rules) do
-        License.feature_available?(:admin_merge_request_approvers_rules) &&
-          ::Gitlab::CurrentSettings.disable_overriding_approvers_per_merge_request
-      end
-
-      with_scope :global
-      condition(:locked_merge_request_author_setting) do
-        License.feature_available?(:admin_merge_request_approvers_rules) &&
-          ::Gitlab::CurrentSettings.prevent_merge_requests_author_approval
-      end
-
-      with_scope :global
-      condition(:locked_merge_request_committer_setting) do
+      with_scope :subject
+      condition(:regulated_merge_request_approval_settings) do
         License.feature_available?(:admin_merge_request_approvers_rules) &&
-          ::Gitlab::CurrentSettings.prevent_merge_requests_committers_approval
+          @subject.has_regulated_settings?
       end
 
       condition(:project_merge_request_analytics_available) do
@@ -238,6 +226,7 @@ module EE
         enable :admin_path_locks
         enable :update_approvers
         enable :modify_approvers_rules
+        enable :modify_overriding_approvers_per_merge_request_setting
         enable :modify_auto_fix_setting
         enable :modify_merge_request_author_setting
         enable :modify_merge_request_committer_setting
@@ -316,15 +305,9 @@ module EE
         prevent :read_project
       end
 
-      rule { locked_approvers_rules }.policy do
-        prevent :modify_approvers_rules
-      end
-
-      rule { locked_merge_request_author_setting }.policy do
+      rule { regulated_merge_request_approval_settings }.policy do
+        prevent :modify_overriding_approvers_per_merge_request_setting
         prevent :modify_merge_request_author_setting
-      end
-
-      rule { locked_merge_request_committer_setting }.policy do
         prevent :modify_merge_request_committer_setting
       end
 

ee/app/views/admin/push_rules/_merge_request_approvals.html.haml

@@ -6,7 +6,10 @@
     %button.btn.js-settings-toggle{ type: 'button' }
       = expanded_by_default? ? _('Collapse') : _('Expand')
     %p
-      = _('Settings to prevent self-approval across all projects in the instance. Only an administrator can modify these settings.')
+      - if show_compliance_merge_request_approval_settings?
+        = _('Regulate approvals by authors/committers, based on compliance frameworks. Can be changed only at the instance level.')
+      - else
+        = _('Settings to prevent self-approval across all projects in the instance. Only an administrator can modify these settings.')
 
   .settings-content
     %hr.clearfix.mt-0
@@ -16,4 +19,17 @@
 
       = render 'merge_request_approvals_fields', f: f
 
+      - if show_compliance_merge_request_approval_settings?
+        .sub-section
+          %h5
+            = _('Compliance frameworks')
+          .form-group
+            .form-text.text-muted.mb-2
+              = _('The above settings apply to all projects with the selected compliance framework(s).')
+
+            = f.collection_check_boxes(:compliance_frameworks, compliance_framework_checkboxes, :first, :last) do |b|
+              .form-check
+                = b.check_box(class: "form-check-input")
+                = b.label(class: "form-check-label")
+
       = f.submit _('Save changes'), class: "gl-button btn btn-success"

ee/app/views/admin/push_rules/_merge_request_approvals_fields.html.haml

@@ -9,6 +9,6 @@
       = f.label :prevent_merge_requests_committers_approval, class: 'form-check-label' do
         = _('Prevent approval of merge requests by merge request committers')
     .form-check
-      = f.check_box :disable_overriding_approvers_per_merge_request , class: 'form-check-input'
+      = f.check_box :disable_overriding_approvers_per_merge_request , { class: 'form-check-input' }, false, true
       = f.label :disable_overriding_approvers_per_merge_request , class: 'form-check-label' do
-        = _('Prevent users from modifying merge request approvers list')
+        = _('Can override approvers and approvals required per merge request')

ee/app/views/projects/_merge_request_approvals_settings_form.html.haml

+- can_modify_overriding_approvers_per_merge_request_settings = can?(current_user, :modify_overriding_approvers_per_merge_request_setting, @project)
 - can_modify_merge_request_author_settings = can?(current_user, :modify_merge_request_author_setting, @project)
 - can_modify_merge_request_committer_settings = can?(current_user, :modify_merge_request_committer_setting, @project)
 
@@ -21,7 +22,7 @@
 
 .form-group
   .form-check
-    = form.check_box(:disable_overriding_approvers_per_merge_request, { class: 'form-check-input', disabled: !can_modify_approvers }, false, true)
+    = form.check_box :disable_overriding_approvers_per_merge_request, { class: 'form-check-input', disabled: !can_modify_overriding_approvers_per_merge_request_settings }, false, true
     = form.label :disable_overriding_approvers_per_merge_request, class: 'form-check-label' do
       %span= _('Can override approvers and approvals required per merge request')
       = link_to sprite_icon('question-o'), help_page_path('user/project/merge_requests/merge_request_approvals', anchor: 'prevent-overriding-default-approvals'), target: '_blank'

ee/changelogs/unreleased/273765-disallow-editing-project-level-mr-settings.yml

----
-title: Disallow editing of project-level MR approval settings when enabled at the instance level
-merge_request: 46637
-author:
-type: changed

ee/lib/api/project_approvals.rb

@@ -15,7 +15,7 @@ module API
       def filter_params(params)
         params
           .then { |params| filter_forbidden_param(params, :modify_merge_request_committer_setting, :merge_requests_disable_committers_approval) }
-          .then { |params| filter_forbidden_param(params, :modify_approvers_rules, :disable_overriding_approvers_per_merge_request) }
+          .then { |params| filter_forbidden_param(params, :modify_overriding_approvers_per_merge_request_setting, :disable_overriding_approvers_per_merge_request) }
           .then { |params| filter_forbidden_param(params, :modify_merge_request_author_setting, :merge_requests_author_approval) }
       end
     end

ee/spec/controllers/admin/application_settings_controller_spec.rb

@@ -199,6 +199,13 @@ RSpec.describe Admin::ApplicationSettingsController do
       it_behaves_like 'settings for licensed features'
     end
 
+    context 'compliance frameworks' do
+      let(:settings) { { compliance_frameworks: [1, 2, 3, 4, 5] } }
+      let(:feature) { :admin_merge_request_approvers_rules }
+
+      it_behaves_like 'settings for licensed features'
+    end
+
     context 'required instance ci template' do
       let(:settings) { { required_instance_ci_template: 'Auto-DevOps' } }
       let(:feature) { :required_ci_templates }

ee/spec/controllers/projects_controller_spec.rb

@@ -424,17 +424,21 @@ RSpec.describe ProjectsController do
       shared_examples 'merge request approvers rules' do
         using RSpec::Parameterized::TableSyntax
 
-        where(:can_modify, :param_value, :final_value) do
-          true  | true  | true
-          true  | false | false
-          false | true  | nil
-          false | false | nil
+        where(:license_value, :setting_value, :param_value, :final_value) do
+          false | false | false | false
+          false | true  | false | false
+          false | false | true  | true
+          false | true  | true  | true
+          true  | false | false | false
+          true  | true  | false | false
+          true  | false | true  | true
+          true  | true  | true  | true
         end
 
         with_them do
           before do
-            allow(controller).to receive(:can?).and_call_original
-            allow(controller).to receive(:can?).with(user, rule_name, project).and_return(can_modify)
+            stub_licensed_features(admin_merge_request_approvers_rules: license_value)
+            stub_application_setting(app_setting => setting_value)
           end
 
           it 'updates project if needed' do
@@ -454,21 +458,21 @@ RSpec.describe ProjectsController do
 
       describe ':disable_overriding_approvers_per_merge_request' do
         it_behaves_like 'merge request approvers rules' do
-          let(:rule_name) { :modify_approvers_rules }
+          let(:app_setting) { :disable_overriding_approvers_per_merge_request }
           let(:setting) { :disable_overriding_approvers_per_merge_request }
         end
       end
 
       describe ':merge_requests_author_approval' do
         it_behaves_like 'merge request approvers rules' do
-          let(:rule_name) { :modify_merge_request_author_setting }
+          let(:app_setting) { :prevent_merge_requests_author_approval }
           let(:setting) { :merge_requests_author_approval }
         end
       end
 
       describe ':merge_requests_disable_committers_approval' do
         it_behaves_like 'merge request approvers rules' do
-          let(:rule_name) { :modify_merge_request_committer_setting }
+          let(:app_setting) { :prevent_merge_requests_committers_approval }
           let(:setting) { :merge_requests_disable_committers_approval }
         end
       end

ee/spec/features/admin/admin_merge_requests_approvals_spec.rb

@@ -5,9 +5,9 @@ require 'spec_helper'
 RSpec.describe 'Admin interacts with merge requests approvals settings' do
   include StubENV
 
-  let_it_be(:application_settings) { create(:application_setting) }
+  let_it_be(:hippa) { ComplianceManagement::Framework::DEFAULT_FRAMEWORKS_BY_IDENTIFIER[:hipaa] }
+  let_it_be(:application_settings) { create(:application_setting, compliance_frameworks: [hippa.id]) }
   let_it_be(:user) { create(:admin) }
-  let_it_be(:project) { create(:project, creator: user) }
 
   before do
     stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false')
@@ -17,27 +17,28 @@ RSpec.describe 'Admin interacts with merge requests approvals settings' do
     visit(admin_push_rule_path)
   end
 
-  it 'updates instance-level merge request approval settings and enforces project-level ones' do
+  it 'updates compliance frameworks' do
     page.within('.merge-request-approval-settings') do
-      check 'Prevent approval of merge requests by merge request author'
-      check 'Prevent approval of merge requests by merge request committers'
-      check 'Prevent users from modifying merge request approvers list'
+      check 'SOC 2'
       click_button('Save changes')
     end
 
     visit(admin_push_rule_path)
 
-    expect(find_field('Prevent approval of merge requests by merge request author')).to be_checked
-    expect(find_field('Prevent approval of merge requests by merge request committers')).to be_checked
-    expect(find_field('Prevent users from modifying merge request approvers list')).to be_checked
+    expect(page.find_field('SOC 2')).to be_checked
+  end
+
+  it 'unsets all compliance frameworks' do
+    checkbox_selector = 'input[name="application_setting[compliance_frameworks][]"]'
 
-    visit edit_project_path(project)
+    page.within('.merge-request-approval-settings') do
+      page.all(checkbox_selector).each { |checkbox| checkbox.set(false) }
 
-    page.within('#js-merge-request-approval-settings') do
-      expect(find('#project_merge_requests_author_approval')).to be_disabled.and be_checked
-      expect(find('#project_merge_requests_disable_committers_approval')).to be_disabled.and be_checked
-      expect(find('#project_disable_overriding_approvers_per_merge_request')).to be_disabled
-      expect(find('#project_disable_overriding_approvers_per_merge_request')).not_to be_checked
+      click_button('Save changes')
     end
+
+    visit(admin_push_rule_path)
+
+    expect(page.all(checkbox_selector).map(&:checked?)).to all(be_falsey)
   end
 end

ee/spec/helpers/admin/merge_request_approval_settings_helper_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Admin::MergeRequestApprovalSettingsHelper do
+  describe '#show_compliance_merge_request_approval_settings?' do
+    using RSpec::Parameterized::TableSyntax
+
+    subject { helper.show_compliance_merge_request_approval_settings? }
+
+    where(:licensed, :result) do
+      true  | true
+      false | false
+    end
+
+    with_them do
+      before do
+        stub_licensed_features(admin_merge_request_approvers_rules: licensed)
+      end
+
+      it { is_expected.to eq(result) }
+    end
+  end
+end

ee/spec/models/project_spec.rb

@@ -564,14 +564,14 @@ RSpec.describe Project do
 
   context 'merge requests related settings' do
     shared_examples 'setting modified by application setting' do
-      where(:feature_enabled, :app_setting, :project_setting, :final_setting) do
+      where(:app_setting, :project_setting, :regulated_settings, :final_setting) do
         true  | true  | true  | true
+        false | true  | true  | false
         true  | false | true  | true
+        false | false | true  | false
         true  | true  | false | true
+        false | true  | false | true
         true  | false | false | false
-        false | true  | true  | true
-        false | false | true  | true
-        false | true  | false | false
         false | false | false | false
       end
 
@@ -579,8 +579,9 @@ RSpec.describe Project do
         let(:project) { create(:project) }
 
         before do
-          stub_licensed_features(admin_merge_request_approvers_rules: feature_enabled)
+          stub_licensed_features(admin_merge_request_approvers_rules: true)
 
+          allow(project).to receive(:has_regulated_settings?).and_return(regulated_settings)
           stub_application_setting(application_setting => app_setting)
           project.update(setting => project_setting)
         end
@@ -594,6 +595,7 @@ RSpec.describe Project do
 
     describe '#disable_overriding_approvers_per_merge_request' do
       it_behaves_like 'setting modified by application setting' do
+        let(:feature) { :admin_merge_request_approvers_rules }
         let(:setting) { :disable_overriding_approvers_per_merge_request }
         let(:application_setting) { :disable_overriding_approvers_per_merge_request }
       end
@@ -601,23 +603,26 @@ RSpec.describe Project do
 
     describe '#merge_requests_disable_committers_approval' do
       it_behaves_like 'setting modified by application setting' do
+        let(:feature) { :admin_merge_request_approvers_rules }
         let(:setting) { :merge_requests_disable_committers_approval }
         let(:application_setting) { :prevent_merge_requests_committers_approval }
       end
     end
 
     describe '#merge_requests_author_approval' do
+      let(:project) { create(:project) }
+      let(:feature) { :admin_merge_request_approvers_rules }
       let(:setting) { :merge_requests_author_approval }
       let(:application_setting) { :prevent_merge_requests_author_approval }
 
-      where(:feature_enabled, :app_setting, :project_setting, :final_setting) do
+      where(:app_setting, :project_setting, :regulated_settings, :final_setting) do
         true  | true  | true  | false
-        true  | false | true  | true
-        true  | true  | false | false
-        true  | false | false | false
         false | true  | true  | true
+        true  | false | true  | false
         false | false | true  | true
-        false | true  | false | false
+        true  | true  | false | true
+        false | true  | false | true
+        true  | false | false | false
         false | false | false | false
       end
 
@@ -625,8 +630,9 @@ RSpec.describe Project do
         let(:project) { create(:project) }
 
         before do
-          stub_licensed_features(admin_merge_request_approvers_rules: feature_enabled)
+          stub_licensed_features(admin_merge_request_approvers_rules: true)
 
+          allow(project).to receive(:has_regulated_settings?).and_return(regulated_settings)
           stub_application_setting(application_setting => app_setting)
           project.update(setting => project_setting)
         end
@@ -639,6 +645,36 @@ RSpec.describe Project do
     end
   end
 
+  describe '#has_regulated_settings?' do
+    let(:gdpr_framework_definition) { ComplianceManagement::Framework::DEFAULT_FRAMEWORKS_BY_IDENTIFIER[:gdpr] }
+    let(:compliance_framework_setting) { build(:compliance_framework_project_setting, :gdpr) }
+    let(:project) { build(:project, compliance_framework_setting: compliance_framework_setting) }
+
+    subject { project.has_regulated_settings? }
+
+    context 'framework is regulated' do
+      before do
+        stub_application_setting(compliance_frameworks: [gdpr_framework_definition.id])
+      end
+
+      it { is_expected.to be_truthy }
+    end
+
+    context 'framework is not regulated' do
+      before do
+        stub_application_setting(compliance_frameworks: [])
+      end
+
+      it { is_expected.to be_falsey }
+    end
+
+    context 'project does not have compliance framework' do
+      let(:project) { build(:project) }
+
+      it { is_expected.to be_falsey }
+    end
+  end
+
   describe '#has_active_hooks?' do
     context "with group hooks" do
       let(:group) { create(:group) }

ee/spec/policies/project_policy_spec.rb

@@ -1195,13 +1195,13 @@ RSpec.describe ProjectPolicy do
     end
   end
 
-  shared_examples 'merge request approval settings' do
+  shared_examples 'regulated merge request approval settings' do
     let(:project) { private_project }
 
     using RSpec::Parameterized::TableSyntax
 
     context 'with merge request approvers rules available in license' do
-      where(:role, :setting, :admin_mode, :allowed) do
+      where(:role, :regulated_setting, :admin_mode, :allowed) do
         :guest      | true  | nil    | false
         :reporter   | true  | nil    | false
         :developer  | true  | nil    | false
@@ -1220,7 +1220,7 @@ RSpec.describe ProjectPolicy do
 
         before do
           stub_licensed_features(admin_merge_request_approvers_rules: true)
-          stub_application_setting(app_setting => setting)
+          allow(project).to receive(:has_regulated_settings?).and_return(regulated_setting)
           enable_admin_mode!(current_user) if admin_mode
         end
 
@@ -1229,7 +1229,7 @@ RSpec.describe ProjectPolicy do
     end
 
     context 'with merge request approvers rules not available in license' do
-      where(:role, :setting, :admin_mode, :allowed) do
+      where(:role, :regulated_setting, :admin_mode, :allowed) do
         :guest      | true  | nil    | false
         :reporter   | true  | nil    | false
         :developer  | true  | nil    | false
@@ -1248,7 +1248,7 @@ RSpec.describe ProjectPolicy do
 
         before do
           stub_licensed_features(admin_merge_request_approvers_rules: false)
-          stub_application_setting(app_setting => setting)
+          allow(project).to receive(:has_regulated_settings?).and_return(regulated_setting)
           enable_admin_mode!(current_user) if admin_mode
         end
 
@@ -1258,22 +1258,45 @@ RSpec.describe ProjectPolicy do
   end
 
   describe ':modify_approvers_rules' do
-    it_behaves_like 'merge request approval settings' do
-      let(:app_setting) { :disable_overriding_approvers_per_merge_request }
-      let(:policy) { :modify_approvers_rules }
+    let(:policy) { :modify_approvers_rules }
+
+    using RSpec::Parameterized::TableSyntax
+
+    where(:role, :admin_mode, :allowed) do
+      :guest      | nil    | false
+      :reporter   | nil    | false
+      :developer  | nil    | false
+      :maintainer | nil    | true
+      :owner      | nil    | true
+      :admin      | false  | false
+      :admin      | true   | true
+    end
+
+    with_them do
+      let(:current_user) { public_send(role) }
+
+      before do
+        enable_admin_mode!(current_user) if admin_mode
+      end
+
+      it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
+    end
+  end
+
+  describe ':modify_overriding_approvers_per_merge_request_setting' do
+    it_behaves_like 'regulated merge request approval settings' do
+      let(:policy) { :modify_overriding_approvers_per_merge_request_setting }
     end
   end
 
   describe ':modify_merge_request_author_setting' do
-    it_behaves_like 'merge request approval settings' do
-      let(:app_setting) { :prevent_merge_requests_author_approval }
+    it_behaves_like 'regulated merge request approval settings' do
       let(:policy) { :modify_merge_request_author_setting }
     end
   end
 
   describe ':modify_merge_request_committer_setting' do
-    it_behaves_like 'merge request approval settings' do
-      let(:app_setting) { :prevent_merge_requests_committers_approval }
+    it_behaves_like 'regulated merge request approval settings' do
       let(:policy) { :modify_merge_request_committer_setting }
     end
   end

ee/spec/requests/api/project_approvals_spec.rb

@@ -144,7 +144,7 @@ RSpec.describe API::ProjectApprovals do
       context 'updates merge requests settings' do
         it_behaves_like 'updates merge requests settings when possible' do
           let(:current_user) { admin }
-          let(:permission) { :modify_approvers_rules }
+          let(:permission) { :modify_overriding_approvers_per_merge_request_setting }
           let(:setting) { :disable_overriding_approvers_per_merge_request }
         end
 

ee/spec/views/admin/push_rules/_merge_request_approvals.html.haml_spec.rb

@@ -11,10 +11,35 @@ RSpec.describe 'admin/push_rules/_merge_request_approvals' do
     stub_licensed_features(admin_merge_request_approvers_rules: true)
   end
 
-  it 'shows settings form', :aggregate_failures do
+  it 'shows settings form' do
     render
 
     expect(rendered).to have_content('Merge requests approvals')
-    expect(rendered).to have_content('Settings to prevent self-approval across all projects')
+  end
+
+  context 'when show compliance merge request approval settings' do
+    before do
+      allow(view).to receive(:show_compliance_merge_request_approval_settings?).and_return(true)
+    end
+
+    it 'shows compliance framework content', :aggregate_failures do
+      render
+
+      expect(rendered).to have_content('Regulate approvals by authors/committers')
+      expect(rendered).to have_content('Compliance frameworks')
+    end
+  end
+
+  context 'when not show compliance merge request approval settings' do
+    before do
+      allow(view).to receive(:show_compliance_merge_request_approval_settings?).and_return(false)
+    end
+
+    it 'shows non-compliance framework content', :aggregate_failures do
+      render
+
+      expect(rendered).to have_content('Settings to prevent self-approval across all projects')
+      expect(rendered).not_to have_content('Compliance frameworks')
+    end
   end
 end

locale/gitlab.pot

@@ -6951,6 +6951,9 @@ msgstr ""
 msgid "Compliance framework (optional)"
 msgstr ""
 
+msgid "Compliance frameworks"
+msgstr ""
+
 msgid "ComplianceDashboard|created by:"
 msgstr ""
 
@@ -20335,9 +20338,6 @@ msgstr ""
 msgid "Prevent users from changing their profile name"
 msgstr ""
 
-msgid "Prevent users from modifying merge request approvers list"
-msgstr ""
-
 msgid "Prevent users from performing write operations on GitLab while performing maintenance."
 msgstr ""
 
@@ -22251,6 +22251,9 @@ msgstr ""
 msgid "Registry setup"
 msgstr ""
 
+msgid "Regulate approvals by authors/committers, based on compliance frameworks. Can be changed only at the instance level."
+msgstr ""
+
 msgid "Reindexing status"
 msgstr ""
 
@@ -26664,6 +26667,9 @@ msgstr ""
 msgid "The X509 Certificate to use when mutual TLS is required to communicate with the external authorization service. If left blank, the server certificate is still validated when accessing over HTTPS."
 msgstr ""
 
+msgid "The above settings apply to all projects with the selected compliance framework(s)."
+msgstr ""
+
 msgid "The application will be used where the client secret can be kept confidential. Native mobile apps and Single Page Apps are considered non-confidential."
 msgstr ""