Background
- A long time ago in T1051 and T84994 we created the Phabricator projects WMF-NDA and WMF-NDA-Requests.
- Membership in WMF-NDA allows accessing restricted Phab tickets that require an NDA with WMF in place.
- WMF-NDA-Requests is for requesting membership in WMF-NDA which is currently a manual process.
- This process (actually one for WMF staff, and another one for "non-staff" covered on wikitech:Volunteer_NDA which makes you wonder which one would apply to chapter staff) is described on https://phabricator.wikimedia.org/project/profile/61/ .
For the last 9 years it has been fine to assume that new WMF staff is under an NDA, however in my understanding adding new staff to the ldap/wmf LDAP group and to the WMF-NDA Phab project cannot be part of the WMF onboarding process itself, as new staff first themselves need to create their developer/LDAP user account (and their Phab user account), while WMF ITS' onboarding only includes creating a SUL user account for new staff.
Situation
Currently, manually processing WMF-NDA Phab project membership requests under WMF-NDA-Requests requires:
- checking the mediawiki.org SUL account that the Phabricator account is linked against on the Phab user profile of the requester
- checking https://www.mediawiki.org/wiki/Special:CentralAuth on which exact wiki site that SUL user account was created, and
- checking Special:Log on that exact wiki site if the SUL user account was created by a staff account that is/was a WMF ITS member (I'm dropping the chain of trust at this stage)
- sometimes asking requesters to first link also their SUL user account to their Phab user account if they used their developer/LDAP user account to create their Phab user account, and in rare cases request to connect their WMF ITS created SUL staff user account to their Phab user account instead of a self-created SUL non-staff user account.
This is a bit cumbersome for all involved parties (requester having to file two separate tickets; one person to add to ldap/wmf and another person to add to WMF-NDA while this could be done by the same person).
(For completeness: I assume that checking the developer/LDAP user account linked to a Phab user account, and then checking if that account is listed on https://ldap.toolforge.org/group/wmf could be an alternative workflow that I had not been aware of until a few minutes ago.)
Proposal
When a staff member uses their Phabricator account to file a request under LDAP-Access-Requests to become a member of the ldap/wmf LDAP group, this staff member's Phabricator account should also get added as a member to WMF-NDA.
This action obviously requires edit permissions, and SRE folks should have them: According to the Edit policy of WMF-NDA at https://phabricator.wikimedia.org/project/edit/61/ , currently members of acl*sre-team, @eross, @bcampbell, @eliza, @offboarding, and Phab administrators can edit members of WMF-NDA.
If this workflow was implemented, it should probably be documented at https://wikitech.wikimedia.org/wiki/SRE/Clinic_Duty#Review_incoming_tasks .
Also on https://phabricator.wikimedia.org/project/manage/1564/ the link to https://wikitech.wikimedia.org/wiki/SRE_Clinic_Duty#LDAP_group_changes should be updated (as there is no such anchor).
See also non-public T289552 for a slightly related discussion.