Page MenuHomePhabricator

Add 'Risk Rating' field to tasks created via advanced template
Closed, ResolvedPublic

Description

As part of ramping up the Security-Team we want to keep actionables for assessment work/auditing inside of phabricator even for risk/governance/compliance. In negotiating this workflow it seems the only missing component for this to be achieved is a formal "risk" field.

Rather than create a new form at https://phabricator.wikimedia.org/transactions/editengine/maniphest.task/ my proposal is to add this field to the 'advanced' form at https://phabricator.wikimedia.org/transactions/editengine/maniphest.task/view/3/.

This form is already restricted to folks who are known quantities and I don't expect this to be a problem. I don't want to add 'risk' to the simplified public reporting security form as keeping that as simple as possible is the right idea. Open to whatever works but I think adding it to the existing and adjusting if that's an issue is probably the sanest approach.

The overview on risk management and risk rating is here https://office.wikimedia.org/wiki/Security_Policies/Risk_Management though that's behind the office wiki wall I know for the moment.

Event Timeline

chasemp created this task.

Change 460069 had a related patch set uploaded (by Rush; owner: cpettet):
[operations/puppet@production] phabricator: add risk rating to advanced creation form

https://gerrit.wikimedia.org/r/460069

Change 460069 merged by Rush:
[operations/puppet@production] phabricator: add risk rating to advanced creation form

https://gerrit.wikimedia.org/r/460069

Talked to @20after4 for a bit about this and we added it to the advanced form. Let's see how this works out.

@chasemp is it expected that this field will show up on non-security tasks like T204154?

@Legoktm: to avoid that we'd need to create a separate form which I think might be a better idea, I'm afraid people will be annoyed by the extra field. Note that it only shows up for some people (people who use the advanced form)

@Legoktm: to avoid that we'd need to create a separate form which I think might be a better idea, I'm afraid people will be annoyed by the extra field. Note that it only shows up for some people (people who use the advanced form)

Not only annoyed (which I'm less worried about) but also people using "Risk" in situations where it's not helpful and it just ends up creating noise.

I went ahead and created https://phabricator.wikimedia.org/maniphest/task/edit/form/48/ which is an exact copy of form ♯3 with just that one extra field enabled ... it's a little annoying to maintain multiple forms but this will probably avoid some confusion.

re-opening so we can figure something out, totally down for risk rating not showing on regular advanced tasks. @20after4 and I are talking about doing a few things:

  1. Creating a task type 'security'
  2. Have due date and risk rating on the advanced form for creation
  3. Have a simple form for creation as the one that exist now

see if we like this

  1. convert existing open tasks we want to use the new task type?

Yeah, also noticed it at T135798 which is a pre-existing task where I made an edit on, which then silently recorded that I set "Risk Rating: N/A", which doesn't seem right.

At T204079#4579063 i renamed an existing ticket and was surprised to see a second action i did related to the Risk Rating.

Yes apologies, we reconsidered shortly after we added it to the default advanced edit form. We can look at cleaning up the couple outliers if it's an issue and for now we are looking at better ways to both have specific criteria for security/risk oriented tasks and leave existing things as unaffected as possible.

Hello. As I've stated on Conpherence the field is visible for all tasks at this moment. Was this the desired outcome or just a side-effect? Thanks.

Just note that now it looks like all tasks have a Details box with Risk Rating: N/A , like in T204430.
Edit: yes it's the same as the previous comment.

@20after4 have any idea why it's still showing up? Oddly I do not see it

Krinkle renamed this task from Add 'risk' field to tasks created via advanced template to Add 'Risk Rating' field to tasks created via advanced template.Sep 16 2018, 3:30 PM
Krinkle changed Risk Rating from N/A to default.

Case in point :)

@20after4 is the issue that hte field is not hidden on an edit form even though it's hidden on creation forms? Let's sync up on this today if you have a minute

@20after4 is the issue that hte field is not hidden on an edit form even though it's hidden on creation forms? Let's sync up on this today if you have a minute

I created a task from teh simple task form and it still shows up def

T204535: test persistence of risk rating which should not be present

Strange. I think that phab handles "select" lists in a weird way.

Strange. I think that phab handles "select" lists in a weird way.

yeah, seems like a bug...how can we stop this from showing up everywhere? would T204160 resolve this?

@chasemp I don't think so. Maybe if it didn't have a default value assigned?

Ok I got rid of "default": "default" from the custom field definition, now submitting a task shouldn't set the value at all

further work in T204160 where we determined we are moving forward with a task type trial