Page MenuHomePhabricator

#Security access for Urbanecm
Closed, ResolvedPublic

Description

Requester: @Urbanecm

Reason: High-volume developer and deployer.

Supporting items: Already in Trusted-Contributors, already has deployment (T192830) and should have Foundation NDA from that, already has Phab MFA enabled (confirmed by @Aklapper)

Event Timeline

sbassett triaged this task as Medium priority.Jul 8 2019, 2:31 PM

@sbassett: Assuming this is about access to Phabricator tasks, where do these prerequisites come from? Cannot see them on https://www.mediawiki.org/wiki/Security/SOP/Access_to_Phabricator_Security_Issues . For completeness, that page also says that 2FA is required. [Which is the case for @Urbanecm](https://phabricator.wikimedia.org/people/query/4CEYw.FUpDWW/#R).

@Aklapper: The page you linked says "Sign a volunteer non-disclosure agreement or a WMF employee non-disclosure agreement". Since I'm a deployer, I already have an NDA, which means this prerequisite is fine. Don't know why Trusted-Contributors was mentioned through :).

@Aklapper - they're just some standard (undocumented) items the Security-Team looks for as supporting evidence for item 5, specifically "the reason(s) you need access to private Security issues in Wikimedia Phabricator."

@sbassett: Ah. Please add 'check that the Phab account has MFA set up' to those undocumented items. ;)

sbassett changed the task status from Open to Stalled.Jul 9 2019, 4:38 PM

Waiting on "official" decision from Security-Team. Hope to have later today or tomorrow.

sbassett changed the task status from Stalled to Open.Jul 10 2019, 3:35 PM
sbassett added a subscriber: chasemp.

Approved by the Security-Team and @JBennett. I'd add them, but I don't have the privs for Security, so a Phab admin will need to as @Reedy and @chasemp are technically away on leave right now.

Approved by the Security-Team and @JBennett. I'd add them, but I don't have the privs for Security, so a Phab admin will need to as @Reedy and @chasemp are technically away on leave right now.

Technically, @JBennett should have the privs to do this too. But this can wait, just informing :)