Page MenuHomePhabricator

Add a new user-group for WMF staff accounts
Open, MediumPublic

Description

Motivation

Recently while working on MediaWiki-extensions-SecurePoll, AHT encountered a use-case which can best be fulfilled by having a user-group that includes all staff accounts. More context for the specific issue in T180762#6842624. I can imagine there are other times when there are WMF-staff-specific use cases for product teams which are currently difficult to fulfill.
This task is to create a user-group for all WMF staff accounts and have a way to keep the group up-to-date with new account creations.

Note that there is an existing user-group called staff which serves a different purpose. In the interest of time, we should make this new user group be staff-all or something to avoid a renaming process for the old user-group first.

Event Timeline

Niharika created this task.
Reedy added a subscriber: Reedy.

Tagging Wikimedia-Site-requests; while we might not want to force 2FA, we probably want to make sure we hold these accounts to higher password policies etc.

What permissions should this group have? The same as the staff group?

Majavah added a subscriber: Majavah.

What permissions should this group have? The same as the staff group?

Please don't process this from a site request perspective yet, the exact details are not yet known

What permissions should this group have? The same as the staff group?

Please don't process this from a site request perspective yet, the exact details are not yet known

Ok, sorry, I was just confused.

Note that global groups can currently be maintained only by stewards. Creating a global group for all staff members would need some code in CentralAuth to let ITS to grant only this group globally. A local group would work, but I don't see much use in that.

@Niharika Why don't you just query for all unlocked accounts that end with (WMF)?

What permissions should this group have? The same as the staff group?

My understanding is that there would be no additional rights assigned to this group, it would essentially function as a label or a category. However...

Tagging Wikimedia-Site-requests; while we might not want to force 2FA, we probably want to make sure we hold these accounts to higher password policies etc.

Yep, I think this is a great point, though I imagine "WMF" accounts are already pretty juicy from an attacker's perspective

@Niharika Why don't you just query for all unlocked accounts that end with (WMF)?

Not all staff accounts end with (WMF) (e.g. User:GVarnum-WMF).

Seems like you may want to simply query for not locked+"WMF" and manually clean the resulting list from false positives.

What permissions should this group have? The same as the staff group?

My understanding is that there would be no additional rights assigned to this group, it would essentially function as a label or a category. However...

Note that from site requests perspective, it's not clear where exactly should this group live. It can be marked as privileged group through, so it has oathauth-enable + stricter password policies.

Tagging Wikimedia-Site-requests; while we might not want to force 2FA, we probably want to make sure we hold these accounts to higher password policies etc.

Yep, I think this is a great point, though I imagine "WMF" accounts are already pretty juicy from an attacker's perspective

@Niharika Why don't you just query for all unlocked accounts that end with (WMF)?

Not all staff accounts end with (WMF) (e.g. User:GVarnum-WMF).

You can query for WMF anywhere in the account + unlocked. It will allow special accounts like "WMFOffice" to vote, but then we can trust the account holders to not abuse this "permission", and scrutineers to notice that happened.