See https://gitlab.wikimedia.org/toolforge-repos/phab-ban/-/blob/main/app.py?ref_type=heads#L207, it only check whether the user is in #acl_userdisable. I proposed that Phabricator admins should also has access. Why? see the next section.
And my second proposal (not technical-related, and this is why this task is tagged #phabricator for discussion): Phabricator admins should **not** disable accounts in Phabricator directly - instead, Phabricator admins should also use this tool to disable account. Currently there are several ways to disable the account:
1. For Phabricator admins only: they has permission to directly disable an account in Phabricator (but I propose they not to use it, see below).
2. For user in #acl_userdisable: disable an account using that tool
3. (future, see T338384) For stewards (and staff): globally lock an account the linked account will (currently not) be disabled in Phab
4. For Wikitech admin: disable a LDAP account and the linked account will be disabled in Phab
| Method | Provides public log?| Provides reason?
| ---------|-----------|---------
| 1|Yes but in a very obscure place, and no global log is available for non-admin|No (see T102576)
| 2|Yes|No (see T359211)
| 3|Yes|Yes
| 4|Yes, but unclear in future (once we does not use Wikitech to manage LDAP)|Yes, but unclear in future
As we can see the option 1 is the least transparent, so a simple solution is not to use it manually at all (though it is still used by PhabBanBot).
Currently there are accounts disabled directly, but I don't know who disabled it and it's not clear who to contact if the user want to appeal the block.