Page MenuHomePhabricator
Create Task
Maniphest T420690

Create Project in GrowthBook, then migrate materials and access to it
Closed, ResolvedPublic1 Estimated Story Points
Actions

Description

This is a task to set up a Project (e.g., "Wikimedia") in growthbook-next.wikimedia.org and growthbook.wikimedia.org, align experiments (and their related data / configuration as appropriate) with the Project, and update existing Read Only or CustomElevatedAccess users to only have their role assignment within that Project, confirming that access to read query results or create experiments no longer works if the GrowthBook role access isn't pinned to the Project, but does work if access is pinned to a Project.

By the way, I ( @dr0ptp4kt ) see a small number of Read Only users whose access by way of the Project does not seem necessary at this point; if they're not in T419021: LDAP ("Bitu") group membership assignments for tiered access to GrowthBook they shouldn't get role membership in the Project, I think.

This is being dropped into Sprint 21, but could be dragged to a following sprint.

DP SRE added as subscribers for visibility. It is necessary for the automation script work to be able to synchronize LDAP/Bitu group membership to a GrowthBook role confined to a Project.

Related Objects
Search...

Event Timeline

dr0ptp4kt created this task.Mar 20 2026, 4:27 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 20 2026, 4:27 AM
dr0ptp4kt mentioned this in T420691: Automate Wikimedia IDM ("Bitu") and GrowthBook role synchronization.Mar 20 2026, 4:29 AM
dr0ptp4kt added a parent task: T420691: Automate Wikimedia IDM ("Bitu") and GrowthBook role synchronization.
KReid-WMF edited projects, added Test Kitchen (Test Kitchen (Experiment Platform Sprint 22)); removed Test Kitchen (Experiment Platform Sprint 21).Apr 2 2026, 5:07 PM
mpopov triaged this task as Medium priority.Apr 13 2026, 9:01 PM
mpopov moved this task from Ready for Development to In Progress on the Test Kitchen (Test Kitchen (Experiment Platform Sprint 22)) board.
mpopov set the point value for this task to 1.
mpopov added a comment.Apr 13 2026, 9:24 PM

"Wikimedia" project created: https://growthbook.wikimedia.org/project/prj_2423gnmnxoeace

mpopov added a comment.Apr 13 2026, 9:33 PM

Every member has a Global Role (one of: Read Only, CustomElevatedAccess, Admin) and can optionally have per-project roles.

I have reactivated the built-in "No Access" role and made that the new default for new users. Now, users have to be manually granted a Read Only access (either globally or for Wikimedia project specifically).

mpopov added a comment.Apr 13 2026, 10:18 PM

I have updated everyone's roles. (Everyone who has opened GrowthBook while logged in to their wikimedia.org developer account and was automatically given a Read Only global role. Some users have been manually given a CustomElevatedAccess role and I have kept those, but on a per-project basis. See attached:

member roles.png (620×900 px, 96 KB)

mpopov added a comment.Apr 13 2026, 10:19 PM

Posted in team channel in Slack and sharing here for posterity:

While DPE SRE are implementing Wikimedia IDM-managed tiered access and we are manually managing access via GB UI, if you get pinged with a GB access request, please follow these steps to edit the requester's role:

  1. Settings > Members > ⋮ > Edit Role
  2. Keep "No Access" as the global role, select "Wikimedia" under Project Roles (optional) and click Add Project Role
  3. Select "Read Only" or "CustomElevatedAccess" as project role

You should see these details in the Members table which now looks like (see attached).

Select CustomElevatedAccess if the user needs to be able to:

  • define fact tables and metrics
  • import and make changes to experiment details
  • create custom reports or trigger refresh of results

You should select Read Only unless the requester has expressed a clear need for that elevated access.

mpopov added a comment.Apr 13 2026, 10:23 PM

@KReid-WMF @dr0ptp4kt: Fact Tables and Metrics are currently "All Projects". I recommend keeping it that way.

If we put all the fact tables and metrics in the "Wikimedia" project, then if create a "WMDE" project it would not be able to use any already-defined fact tables and metrics.

I think it's enough to only use Wikimedia project for:

  • role/access
  • experiments (and eventually features)

Do you agree?

mpopov added a comment.Apr 17 2026, 5:11 PM

Update: All assets have to be under the Wikimedia project in order for users with Global=NoAccess,Wikimedia=CustomElevatedAccess roles to be able to edit fact tables & metrics. If an asset is under "All projects" then only admins can edit it.

Found this via troubleshooting with Shay.

Have now made all fact tables & metrics part of the Wikimedia project.

mpopov closed this task as Resolved.Apr 17 2026, 6:24 PM
mpopov moved this task from In Progress to Done on the Test Kitchen (Test Kitchen (Experiment Platform Sprint 22)) board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits