Deployers can ssh to all mw hosts (appservers, api-appservers, maintenance, jobrunners, etc.) to e.g. run `scap pull` or another one of a narrow set of commands during investigations.
But, they can't ssh to any of the parse* hosts because they don't seem to inherit or or otherwise have set the standard set of appserver-ish admin_groups.
* [role/common/parsoid.yaml](https://github.com/wikimedia/puppet/blob/3feed004112ae443a0f9baeec4c5d7c2ed6b6e59/hieradata/role/common/parsoid.yaml#L1-L3)
* [role/common/mediawiki/appserver.yaml](https://github.com/wikimedia/puppet/blob/production/hieradata/role/common/mediawiki/appserver.yaml#L2-L5)
* [role/common/mediawiki/jobrunner.yaml](https://github.com/wikimedia/puppet/blob/e1e13a59de3021afaa43c31745abbe348a93017d/hieradata/role/common/mediawiki/jobrunner.yaml#L3-L5)
I don't know if there are plans for, or decisions made against, having parsoid be a role within the `mediawiki::` hierarchy. But in the interim perhaps it would make sense to add these two groups (`deployers` and `perf-roots`) manually to the parsoid role.