For what is worth, I can prove that @ZhouZ is the same Zhou that works in WMF-Legal (and he is a member of that project already).

WMF-NDA-Requests is really supposed to be for volunteers to use...

Hi @Krenair, what process should Foundation employees use to request access?

To be honest, I'm not sure we have one... Maybe we should change WMF-NDA-Requests a bit.

I followed the description at WMF-NDA and I added SRE because, indeed, the regular process signing an NDA online is for volunteers, not for employees.

In T98722#1277350, @Krenair wrote:

WMF-NDA-Requests is really supposed to be for volunteers to use...

Does it matter whether people receive compensation from WMF or not?

@Qgil Didn't this come up before and we got a kind of blanket statement from legal/HR saying that we can assume anyone who is an employee also signed an NDA at some point? In that cause we could simply add anyone who has a @wikimedia.org address and asks for it.

If that is not the case and we want to check for actual NDAs being signed then i would say why don't we use the same procedure for all people and ask legal to create a version of L2 that isn't specific to volunteers, or even easier change the wording to use the same document for all people if possible?. I wonder if it really matters for this whether people happen to be paid.

the requesting user is member of legal. the teams that could potentially confirm a NDA has been signed seem to be legal or HR. who can we assign it to to confirm?

In T98722#1277991, @Dzahn wrote:

@Qgil Didn't this come up before and we got a kind of blanket statement from legal/HR saying that we can assume anyone who is an employee also signed an NDA at some point? In that cause we could simply add anyone who has a @wikimedia.org address and asks for it.

This is my opinion as well. With HR's onboarding process, I don't think you can be an employee and don't have an NDA signed. Someone with permissions could update the description of WMF-NDA and add @ZhouZ.

Other WMF employees could be added just after their request. As you say, having a @wikimedia.org address is a good proof.I don't think they need to sign a second NDA with the same scope.

In T98722#1277985, @Dzahn wrote:

In T98722#1277350, @Krenair wrote:

WMF-NDA-Requests is really supposed to be for volunteers to use...

Does it matter whether people receive compensation from WMF or not?

There are many things we could ask that about...

In T98722#1278624, @Krenair wrote:

In T98722#1277985, @Dzahn wrote:

In T98722#1277350, @Krenair wrote:

WMF-NDA-Requests is really supposed to be for volunteers to use...

Does it matter whether people receive compensation from WMF or not?

There are many things we could ask that about...

Yea? So does it matter or not?

@Dzahn, I confirmed that @ZhouZ is an employee and under NDA. He will need to access WMF-NDA as part of his work.

Thanks!

In T98722#1278472, @Qgil wrote:>

Someone with permissions could update the description of WMF-NDA and add @ZhouZ.

@Qgil agree, looking at history you have added over 100 people (WMF employees) to this group before, do you just want to do the same here then?

In T98722#1281024, @Slaporte wrote:

@Dzahn, I confirmed that @ZhouZ is an employee and under NDA. He will need to access WMF-NDA as part of his work.

Ok, thanks! Added to the group.

P.S. That project page says that we should never add people without a confirmed NDA. (if the theory that having an @wikimedia.org address is good enough that can be removed). But if we are supposed to check then I'm gonna note that we still don't have a defined way how to do that and I am not sure how it was done for previous cases where WMF employees have been added and what made this one different.

(Just for reference)

In T98722#1281026, @Dzahn wrote:

In T98722#1278472, @Qgil wrote:>

Someone with permissions could update the description of WMF-NDA and add @ZhouZ.

@Qgil agree, looking at history you have added over 100 people (WMF employees) to this group before, do you just want to do the same here then?

I did that in a single shot as part of the RT migration. Today I don't even have permissions to add members (and that's fine, since this is an SRE process). I'm for accepting automatically any @wikimedia.org from now on. If WMF-Legal has an objection, they can object. :)

So everyone who has a @wikimedia.org account should be on a NDA and can be added to the WMF-NDA group. So going forward, that's all we should need to look for to add someone.

I am also going to contact HR about integrating this into the on-boarding process.

In T98722#2534884, @ZhouZ wrote:

So everyone who has a @wikimedia.org account should be on a NDA and can be added to the WMF-NDA group. So going forward, that's all we should need to look for to add someone.

@ZhouZ: What type of account is a "@wikimedia.org account"? Also, Phabricator does not expose the email addresses of user accounts.

I am also going to contact HR about integrating this into the on-boarding process.

@ZhouZ: Your help moving T107136 forward is very welcome. (For the last half a year I have not been successful to get a reply in Phab.)

@ZhouZ: What type of account is a "@wikimedia.org account"? Also, Phabricator does not expose the email addresses of user accounts.

I am just going off based on Quim's comment above

Other WMF employees could be added just after their request. As you say, having a @wikimedia.org address is a good proof.I don't think they need to sign a second NDA with the same scope.

@wikimedia.org isn't just managed by OIT, non-staff run addresses there, for example anything going through OTRS.

That said I think everyone using OTRS has probably got done sort of NDA at this point?

@ZhouZ: Hmm, let me try to rephrase the problem:

In T98722#2534884, @ZhouZ wrote:

So everyone who has a @wikimedia.org account should be on a NDA and can be added to the WMF-NDA group. So going forward, that's all we should need to look for to add someone.

I cannot look for or find out whether someone has a @wikimedia.org account. Phabricator does not show you what email address someone used for their Phab account. Hence it's not feasible. I can only check for the user name of an associated SUL account, or LDAP account. Both does not allow me to find out their email addresses either. Hence this is not feasible. :(

Ok I see - I was mistaken then.

It sounds like maybe the process should be someone should email an address requesting to be added by giving their Phabricator username from their @wikimedia.org account.

In T98722#2537158, @AlexMonk-WMF wrote:

@wikimedia.org isn't just managed by OIT, non-staff run addresses there, for example anything going through OTRS.

True, but I was under the impression that at least the GMail/Google Apps accounts ending in @wikimedia.org are only given to people who have signed an NDA. (I seem to recall seeing some Google Drive content shared to this group based on this assumption.)

In T98722#2542374, @Tbayer wrote:

In T98722#2537158, @AlexMonk-WMF wrote:

@wikimedia.org isn't just managed by OIT, non-staff run addresses there, for example anything going through OTRS.

True, but I was under the impression that at least the GMail/Google Apps accounts ending in @wikimedia.org are only given to people who have signed an NDA. (I seem to recall seeing some Google Drive content shared to this group based on this assumption.)

That's my impression as well, but you can't just email a random @wikimedia.org address and assume it'll be routed to a foundation staff member in Google Apps. @wikimedia.org addresses are used by more systems than just staff mail.

What about a task / email by their manager? It should be simple to verify the manager's username/email.

What about a task / email by their manager? It should be simple to verify the manager's username/email.

Yep that could work (I assume this means there's something about a manager that makes them easier to verify).

As opposed to new/recent hires, managers are supposed to either have been around for a while or have a properly verifiable credentials. And if not, then the first thing to fix is the verification of that manager.

Relatedly, T142830: Require/track Phabricator username proposes to store Phab username in LDAP.

In T98722#2544134, @Qgil wrote:

What about a task / email by their manager? It should be simple to verify the manager's username/email.

Task comment, probably... which might sometimes require fixing the manager's account too.

Emails: No - insecure and error-prone technology. (Would mean returning to a single bottleneck of failure and require me to reply to such emails a la "Did you really send this email?" before I become a security expert about mail header spoofing, or require folks to sort out GPG for verification.)

So to recap what we want to do:

The process would be for any staff member requesting NDA access for their NDA account to create a phabricator task using their account (ccing @Aklapper) and have their manager request this access on the task for this particular staff account.

Folks who want access to file a task under WMF-NDA-Requests. I verify the account and check if it was created by Office IT. If it was not, I ask the person to make their manager comment on that task (and cross fingers that the manager's account was created by Office IT).
(For the records: The first two steps are documented on office:Guide_for_new_engineering_staff#Accounts)

FYI, I'd love WMF folks to get access already when onboarding. Help making progress in https://phabricator.wikimedia.org/T107136 is welcome.

I see - I have done more investigation into this process. Will update the other task then and close this one.