Since James Fishback has left, we need to redirect the @priv_eng_sync account Privacy Engineering to a different email address and see if that works. If not, an email address will need to be created for this particular use case. We're going to try and redirect the account directly to the asana email address. There might be complications because that account needs 2FA and James' account is already deactivated.
Description
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Mstyles | T356297 Offboard James Fishback from Security Team | |||
Resolved | acooper | T359087 Redirecting @priv_eng_sync Phab account (Asana sync) to new email address |
Event Timeline
@Aklapper would you be able to update the @priv_eng_sync user so that it points to the email address above? If that's not possible, then I'll go ahead and have that account deleted.
@Mstyles: Hi, as https://phabricator.wikimedia.org/p/priv_eng_sync/ is a user account which even explicitly says "owned by jfishback" you need to contact jfishback as they set up that account. Apart from fiddling in the database there is no way for admins to manipulate users' email addresses...
For future reference, it's possible to avoid such single-point-of-failure setups by following the steps to use a bot account: https://www.mediawiki.org/wiki/Phabricator/Bots . Bot accounts in Phabricator must not be created as normal accounts. Thanks a lot in advance! :)
Hey @Aklapper - the issue here is that @JFishback_WMF has left the Foundation, their Phab account is inactive and they may not be contactable at this point. But it sounds like we really don't have any options in this case, except to maybe disable/delete @priv_eng_sync and start over.
I assume the Security Privacy Engineering Team's internal docs about this account already cover it but to be on the safe side I'll mention that https://wikitech.wikimedia.org/wiki/User:Priv_eng_sync also welcomes updates (or rather disabling, once this is set up properly and not as a random user account). TIA
I have a plan for fixing this. This is just some notes for myself
- Add myself to the Privacy Engineering phabricator project so that I (hopefully) get emails for any new task
- Setup a gmail rule to forward these emails to Asana
- Document the above process so it could be run by any team member in future by adding themself to the project and configuring the same gmail rule
Allow me to explicitly state that I consider any approach for automated activity that relies on a single personal account instead of a bot account ill-fated. See how the current situation was created which led to creation of this ticket.
And as much as I love the idea of documenting a process, last years taught me that many folks either do not think of docs, or do not search for docs, or cannot find docs (e.g. hidden in a Google folder linked from a Slack message linked from an officewiki page described in different words than the search terms used), or do not read docs. :) Thanks for considering.
Taking a step back, could someone point to docs which functionality this account provides? Is there any custom code involved somewhere, or is this "just" about email notifications into Asana? I see that it is a member of acl*security and acl*security_secteam...
The only on-wiki documentation I am finding is https://office.wikimedia.org/wiki/Security/Training/Privacy_Engineering#Project_management_utilities:_Asana_and_Phabricator, which doesn't really discuss this particular workflow in detail. I'm going to assume that's all there is, given that nobody else within Privacy Engineering seems to have knowledge of this workflow or access to @priv_eng_sync. I would note that if this particular automation were to continue via @priv_eng_sync, a newly-created account or an individual's Phabricator account, the implicated account would absolutely need access to acl*security in some way.
For the records, there is also the automated Herald rule H354 sending emails to that Phab account. Is that one still useful?
Per P61984#249626, @priv_eng_sync is not in acl*security. So I also disabled H354 for now.
I think this can be resolved for now. @priv_eng_sync is now fully disabled. If the Privacy Engineering team wishes to move forward with similar Phab => Asana functionality, they'll need to create a new Phabricator account with (hopefully) an email address that does not belong to a specific staff member.