I was not aware of this restriction existing. As described, as the listed people have signed the required NDAs - as instructed in some past requests, I'll let the relevant WMF staff member pull in WMF legal for confirmation should that be required. As an Engineering Manager at WMDE I hereby confirm that all listed individuals are WMDE staff, and they should gain the requested access.

I am not aware of any reason why WMDE engineering staff should not have access to restricted tasks (not being in the group, I do not know the nature of those tasks).

As for the description of the intended process

New members must never be added without a verified NDA by someone who knows what they are doing.

I'd like to make adding the user account of the WMDE engineering staff member a part of WMDE onboarding. If I should discuss and agree on some adjustment to there process so that it is clear to those "who know what they are doing" that WMDE staff should be added to the said group as soon as they get their NDA with the WMF signed, I'd appreciate a pointer to who would be a responsible manager at WMF side.

I'd like to make adding the user account of the WMDE engineering staff member a part of WMDE onboarding.

I'll second expressing that I'd like to see adding (WMDE, WMF) staff user accounts as members of the Phab ACL project WMF-NDA as part of onboarding processes. (On a related note, a similar conversation for WMF folks could be found at non-public https://office.wikimedia.org/wiki/Topic:Uzkfzggw5kvpirzm .)

For a potential future process, it might require to connect each Phab account to both a SUL and an LDAP account, with the LDAP account using a @wikimedia.de email address, for verification? I'm not sure what would be most feasible here, just sharing my limitd understanding.

Giving a heads-up to @RStallman-legalteam who seems to be involved in handling NDA related stuff.

Checking which LDAP accounts listed above are linked to Phab accounts (as you could also link SUL accounts only which would not allow verification), I get eight results:

mysql:phstats@m3-slave.eqiad.wmnet [phabricator_maniphest]>  SELECT u.userName AS phabUsername, ue.username AS ldapUsername FROM phabricator_user.user_externalaccount ue INNER JOIN phabricator_user.user u WHERE ue.accountType = "ldap" AND ue.userPHID = u.phid AND u.isSystemAgent = 0 AND u.isDisabled = 0 AND (ue.username = "Conny Kawohl" OR ue.username = "Dat Nguyen" OR ue.username = "Monica Pinedo" OR ue.username = "Dan Shick" OR ue.username = "GoranSMilovanovic" OR ue.username = "Guergana Tzatchkova" OR ue.username = "Itamar Givon" OR ue.username = "Jakob" OR ue.username = "Kara Payne" OR ue.username = "Lea Voget (WMDE)" OR ue.username = "Lydia Pintscher" OR ue.username = "Lucas Werkmeister (WMDE)" OR ue.username = "Manuel Merz (WMDE)" OR ue.username = "Michael Große" OR ue.username = "Noa wmde" OR ue.username = "Rosalie Perside (WMDE)" OR ue.username = "Silvan Heintze" OR ue.username = "Tarrow" OR ue.username = "Tobias Andersson" OR ue.username = "Tonina Zhelyazkova" OR ue.username = "WMDE-leszek");
+------------------------+--------------------------+
| phabUsername           | ldapUsername             |
+------------------------+--------------------------+
| Tarrow                 | Tarrow                   |
| WMDE-leszek            | WMDE-leszek              |
| GoranSMilovanovic      | GoranSMilovanovic        |
| Lucas_Werkmeister_WMDE | Lucas Werkmeister (WMDE) |
| Michael                | Michael Große            |
| darthmon_wmde          | Monica Pinedo            |
| danshick-wmde          | Dan Shick                |
| Manuel                 | Manuel Merz (WMDE)       |
+------------------------+--------------------------+
8 rows in set (0.028 sec)

Only slightly related, please do split to a separate ticket if someone is interested in deactivating inactive WMDE Phab accounts!:
It is also possible to query for Phab accounts that have a @wikimedia.de email address set for their Phab accounts. (Which does not allow checking for an NDA being in place, obviously.) We have 124 non-deactivated Phab accounts with a @wikimedia.de address currently. Some of them might not be WMDE staff/contractors anymore so both their Phab and SUL accounts could potentially be disabled, and I am not in a position to judge this (totally random example: chrp not active for 21 months).

Note to myself: DB query would be SELECT CONCAT("https://phabricator.wikimedia.org/p/", u.userName) AS phabUsername, uea.address AS emailAddress FROM phabricator_user.user_email uea INNER JOIN phabricator_user.user u WHERE uea.address LIKE "%wikimedia.de" AND uea.userPHID = u.phid AND u.isSystemAgent = 0 AND u.isDisabled = 0;

@Aklapper thanks for pointing out the Phabricator account topic. I'd happily take this on, closer to the weekend. Would it be possible that you sent me the list of Phabricator accounts with wikimedia.de email addresses off-phabricator somehow? I'll review it and request deactivating the ones which are of non longer WMDE staff members. E.g. the "chrp" account would be included in that request, the person does not work with WMDE since those 21 months indeed.

@WMDE-leszek: Yay! I've posted that list in non-public P17242

Is there a way we can move this one forward with the existing set of people, all of which have signed NDAs?

@Addshore: Sorry, was off for a while. I added the 8 folks listed in T290414#7335427 by verifying that they are listed on https://ldap.toolforge.org/group/nda , and updated the task description.

Action required: For the remaining 13 folks, it would be best for me if everyone would link their Phab account to their LDAP account, as I myself have no other way to verify that both accounts belong to the same person.

(I can obviously only cover my options here based on limited data as I have no access to NDAs on record. I recommend bringing up the bigger topic with WMF Legal.)

Thanks, I'll do some chasing!

Thanks! I've added nine more accounts. Lydia seems to have either two different accounts, or accounts got renamed and I don't know how to find out.

In T290414#7401624, @Aklapper wrote:

Thanks! I've added nine more accounts. Lydia seems to have either two different accounts, or accounts got renamed and I don't know how to find out.

You're right. At some point my ldap account got renamed IIRC. I changed the connection in my phabricator profile. Does it work now?

In T290414#7404779, @Lydia_Pintscher wrote:

In T290414#7401624, @Aklapper wrote:

Thanks! I've added nine more accounts. Lydia seems to have either two different accounts, or accounts got renamed and I don't know how to find out.

You're right. At some point my ldap account got renamed IIRC. I changed the connection in my phabricator profile. Does it work now?

Looks good to me now I think https://ldap.toolforge.org/user/lpintscher attached to https://wikitech.wikimedia.org/wiki/User:Lydia_Pintscher attached to https://phabricator.wikimedia.org/p/Lydia_Pintscher/