Page MenuHomePhabricator
Create Task
Maniphest T277223

Add a new user-group for WMF staff accounts
Closed, DeclinedPublic
Actions

Description

Motivation

Recently while working on MediaWiki-extensions-SecurePoll, AHT encountered a use-case which can best be fulfilled by having a user-group that includes all staff accounts. More context for the specific issue in T180762#6842624. I can imagine there are other times when there are WMF-staff-specific use cases for product teams which are currently difficult to fulfill.
This task is to create a user-group for all WMF staff accounts and have a way to keep the group up-to-date with new account creations.

Note that there is an existing user-group called staff which serves a different purpose. In the interest of time, we should make this new user group be staff-all or something to avoid a renaming process for the old user-group first.

Related Objects

Event Timeline

Niharika triaged this task as Medium priority.Mar 11 2021, 7:49 PM
Niharika created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 11 2021, 7:49 PM
Nahid subscribed.Mar 11 2021, 8:24 PM
Reedy added a project: Wikimedia-Site-requests.Mar 11 2021, 8:51 PM
Reedy subscribed.

Tagging Wikimedia-Site-requests; while we might not want to force 2FA, we probably want to make sure we hold these accounts to higher password policies etc.

Zabe subscribed.Mar 11 2021, 9:24 PM

What permissions should this group have? The same as the staff group?

taavi moved this task from Backlog to Analysis / under discussion on the Wikimedia-Site-requests board.Mar 11 2021, 9:28 PM
taavi subscribed.
In T277223#6906664, @Zabe wrote:

What permissions should this group have? The same as the staff group?

Please don't process this from a site request perspective yet, the exact details are not yet known

Zabe added a comment.Mar 11 2021, 9:31 PM
In T277223#6906695, @Majavah wrote:
In T277223#6906664, @Zabe wrote:

What permissions should this group have? The same as the staff group?

Please don't process this from a site request perspective yet, the exact details are not yet known

Ok, sorry, I was just confused.

Reedy added a project: WikimediaMessages.Mar 11 2021, 9:45 PM

Also, it would be created/modified via https://meta.wikimedia.org/wiki/Special:GlobalGroupPermissions rather than "just" in IS/CS

Urbanecm subscribed.Mar 11 2021, 10:09 PM

Note that global groups can currently be maintained only by stewards. Creating a global group for all staff members would need some code in CentralAuth to let ITS to grant only this group globally. A local group would work, but I don't see much use in that.

@Niharika Why don't you just query for all unlocked accounts that end with (WMF)?

jrbs subscribed.Mar 12 2021, 5:27 AM
In T277223#6906664, @Zabe wrote:

What permissions should this group have? The same as the staff group?

My understanding is that there would be no additional rights assigned to this group, it would essentially function as a label or a category. However...

In T277223#6906517, @Reedy wrote:

Tagging Wikimedia-Site-requests; while we might not want to force 2FA, we probably want to make sure we hold these accounts to higher password policies etc.

Yep, I think this is a great point, though I imagine "WMF" accounts are already pretty juicy from an attacker's perspective

In T277223#6906851, @Urbanecm wrote:

@Niharika Why don't you just query for all unlocked accounts that end with (WMF)?

Not all staff accounts end with (WMF) (e.g. User:GVarnum-WMF).

JEumerus subscribed.Mar 12 2021, 8:04 AM

Seems like you may want to simply query for not locked+"WMF" and manually clean the resulting list from false positives.

Urbanecm added a comment.Mar 12 2021, 12:36 PM
In T277223#6907432, @jrbs wrote:
In T277223#6906664, @Zabe wrote:

What permissions should this group have? The same as the staff group?

My understanding is that there would be no additional rights assigned to this group, it would essentially function as a label or a category. However...

Note that from site requests perspective, it's not clear where exactly should this group live. It can be marked as privileged group through, so it has oathauth-enable + stricter password policies.

In T277223#6906517, @Reedy wrote:

Tagging Wikimedia-Site-requests; while we might not want to force 2FA, we probably want to make sure we hold these accounts to higher password policies etc.

Yep, I think this is a great point, though I imagine "WMF" accounts are already pretty juicy from an attacker's perspective

In T277223#6906851, @Urbanecm wrote:

@Niharika Why don't you just query for all unlocked accounts that end with (WMF)?

Not all staff accounts end with (WMF) (e.g. User:GVarnum-WMF).

You can query for WMF anywhere in the account + unlocked. It will allow special accounts like "WMFOffice" to vote, but then we can trust the account holders to not abuse this "permission", and scrutineers to notice that happened.

drochford subscribed.Apr 8 2021, 5:15 PM
Tchanders mentioned this in T295017: Display ipinfo log lines on Special:Log.Feb 2 2022, 6:49 PM
Xeno_WMF subscribed.Sep 7 2022, 7:31 PM
Frostly subscribed.Feb 13 2023, 6:37 AM
MarcoAurelio subscribed.Apr 4 2023, 4:12 PM
Multichill subscribed.Jun 1 2023, 4:23 PM

This task looks stale to me. Can it be closed?

taavi closed this task as Declined.Jun 1 2023, 4:29 PM

Yeah, let's close this for now, there doesn't seem to be a current need for this. Please create a new ticket if there is a new use case plus interest from the Foundation to implement this.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits