Current Behavior:

Via the "Policy Violations" column added to the Projects page in v4.4.0 (and the stats displayed via mouse-over on the column) , users can see violation counts and breakdown by Type and Violation State.

There is no way to see what the actual violations are without having the POLICY_VIOLATION_ANALYSIS permission. This "Provides the ability to make analysis decisions on policy violations".

This means that it is not currently possible to restrict users to view policy violations details, and the associated audt trail, without also allowing them to (say) reject a violation. To illustrate why this is a probem, One might want a developer to know that a specific component is in violation of a license policy.... but not alllow them to reject the finding.

Proposed Behavior:

Add a new VIEW_POLICY_VIOLATION permission that provides access to the "Projects Violations" tab for each project, but in view-only mode.

In other words, the policy would do for policies what was implemented in 4..4.0 by VIEW_VULNERABILITY for vulnerabilities.