access_name: string, required
approvals: (optional)
  approval_id:
  approvers: list of user references (optional)
  required_approvers: integer (optional)  
required_attributes: (optional)
  condition1 
  condition(..)
prompt_complete: string (optional)
prompt_incomplete: string (optional)

Each access would need either approvals or required_attributes set. If both are set, both need to be fulfilled.

And I think with this scheme we wouldn't even need the auto approval flag anymore? Bitu could simply evaluate whether the conditions are satisfied and proceed if fulfilled and other prompt a note which additional steps are pending?


From a high level view this would allow us to express pretty much all approvals, but without tieing them to code, e.g.:

(I'm assuming here that NDAs are tracked in LDAP, which isn't the case, but to not overcomplicate the example):


approval_name: Hadoop access
approvals:
  de_managers:
  approvers: manager1, manager2
  required_approvers: 1
required_attribute: ldap.user_attribute.nda_approved=True
prompt_incomplete: f"Your request is in progress requiring signoff by {$approvals}"

approval_name: Hadoop admin access
approvals: 
cto:
  approvers: cto1
  required_approvers: 1
required_attribute: ldap.user_attribute.nda_approved=True
prompt_incomplete: f"Your request is in progress requiring signoff by {$approvals}"


approval_name: Phabricator WMF-NDA access
required_attributes: 
  ldap.user_attribute.email.endswith("wikimedia.org")
prompt_incomplete: "This access is only available for anyone with a confirmed @wikimedia.org email address"


approval_name: WMDE Hadoop access
approvals:
  wmde_managers:
  approvers: manager3, manager4, manager5
  required_approvers: 1
  de_managers:
  approvers: manager1, manager2
  required_approvers: 1
required_attributes: 
  ldap.user_attribute.email.endswith("wikimedia.de")
prompt_incomplete: "This access is only available for anyone with a confirmed @wikimedia.de email address and has pending approval"