This is a request for creation and deployment of the following three new LDAP groups, destined for Wikimedia IDM ("Bitu") web-based administration.
- growthbook-readonly. This will allow read-only access to the Data Platform Engineering-maintained GrowthBook system.
- growthbook-customelevatedaccess. This will allow intermediate access to the Data Platform Engineering-maintained GrowthBook system.
- growthbook-admin. This will allow full access to the Data Platform Engineering-maintained GrowthBook system. Initial members, who should be managers, that is to say approvers, should be brouberol, btullis, bearloga, phuedx, kareid, jvanderhoop, dr0ptp4kt.
The initial (managers) members of growthbook-admin should be able to administrate user requests for access into growthbook-readonly and growthbook-customelevatedaccess as well; this likely requires that they are defined as managers in each of those groups as well. The groups are not mutually exclusive in the final role mapping between LDAP and GrowthBook-defined roles (which will have a layer of automation on top) - as a reminder from T419622: Verify GrowthBook access approach the most powerful role from Wikimedia IDM ("Bitu") should be the one that is mapped onto the user's GrowthBook role in the ordained Project.
This probably requires updates in nda_groups.txt, offboard-user.py, and idm-django-settings.erb in addition to probable preliminary LDIF and ldapadd dance.
https://wikitech.wikimedia.org/wiki/SRE/LDAP/Groups should be updated at completion of this task.
Heads up to @phuedx , you'll want to arrange a new email address in GrowthBook so the eventual synchronization works here to match your email address from LDAP (it is presently arranged with a different email from pre-SSO from the looks of it).
Note this is not requesting LDAP assignment for all IDs presently in https://growthbook.wikimedia.org/, but it is requesting LDAP assignment for those who have Admin in GrowthBook presently to start. We'll want to do a bulk setup of some additional users after conferring with managers for other teams on who "really" need initial access (we may want to check the last login times and look for intersection with established Test Kitchen recent/frequent users for pre-existing SSO users to seed that in checking with managers from current and near-term user teams, but will want to confirm explicitly and cross-reference data.yaml and LDAP entries; separate matter, just noting for completeness).
@brouberol may confirm for rkemper as well (both for LDAP growthbook-admin membership and for https://growthbook.wikimedia.org/ SSO sign-in followed by GB system role update via GB UI).
This task is being dropped into Sprint 21 for work tracking in Experiment Platform Team (this is a DP SRE work item), but it can be dragged into a future sprint as necessary.