@eoghan So the ticket above uses a (custom) policy that checks for membership in "acl*security". This is used for security-relevant tickets. You should be in that but there is a process.

as pointed out by @RhinosF1 I should tag security-team and not sre-access-requests, which is of course correct.

using tags from example ticket T335755

You need to email security-help@wikimedia.org, they make the change.

Oh, really? That is strange that we can't use the system itself when it's about groups within the system. Seems like a step back since Phabricator was introduced specifically to fix the problem of different teams using different tools.

Please follow https://www.mediawiki.org/wiki/Security/SOP/Access_to_Phabricator_Security_Issues . It has steps, links, forms for/to everything. Please use them. Thanks.

You need to email security-help@wikimedia.org, they make the change.

If that's correct then the Security team should maintain and update its public docs.

In T335981#8827381, @MoritzMuehlenhoff wrote:

You need to email security-help@wikimedia.org, they make the change.

That's one way. Another is just having a task like this tagged with Security-Team and we'll eventually get to it during our next Monday clinic. If it's more urgent than that, just let me know. The appropriate acl will be acl*security_sre.

Maybe it's time to add "Mail security-help@wikimedia.org to get Security access in Phabricator" as part of the onboarding checklist for SREs. Anyone in SRE needs to be able to react to Security tasks opened by users, so this seems like a sensible default.

@sbassett Could you check with the rest of the Security Team if that's fine? If so, I'd update the SRE onboarding template accordingly.

@MoritzMuehlenhoff, @sbassett: Or maybe instead it's time to add a link to public canonical docs which can be found by everyone and not only by some WMF insiders, and which provide a Phab form to fill in all required data as part of an onboarding checklist, instead of advertising sending unstructured non-public emails to blackboxes which will make requests and WMF decisions more intransparent?

@MoritzMuehlenhoff - I'd agree with @Aklapper that you should probably just link to https://www.mediawiki.org/wiki/Security/SOP/Access_to_Phabricator_Security_Issues in the internal SRE doc as that describes the ideal process to follow. If folks email security-help@ about this, we would just create a Phab task for the request anyways.

+1 to the above, especially because this is about managing groups in the ticket system itself. let's not change the medium.

In T335981#8829759, @sbassett wrote:

@MoritzMuehlenhoff - I'd agree with @Aklapper that you should probably just link to https://www.mediawiki.org/wiki/Security/SOP/Access_to_Phabricator_Security_Issues in the internal SRE doc as that describes the ideal process to follow. If folks email security-help@ about this, we would just create a Phab task for the request anyways.

Ack! Updated the SRE-specific part of the onboarding checklists to include https://www.mediawiki.org/wiki/Security/SOP/Access_to_Phabricator_Security_Issues

Hey @eoghan - I have included you in the acl-security-sre group. Could you please verify if the permissions appear correct at this time? Thank you.

Yep, I can, thanks @mmartorana !