Moving our procurement process into phabricator requires a few things. This task will outline the proposed workflow for a procurement task, and the relevant security settings.
Workflow:
* User creates a #hardware-request task for the hardware.
* If hardware needs to be ordered, Rob creates a #procurement task in the S4 Vendor Quote space for each quote/vendor combination.
** Example: We need a new database system on task A (hardware-request). Then we create Task B in the S4 #procurement project for Dell quote, and Task C in the S4 #procurement project for HP quote.
* Rob deals with Dell on Task B, they email back with quotes and options.
* Rob deals with HP on Task C, they email back with quotes and options.
* Ops determines which specification/quote to go with, and escalation of the task begins for approvals.
* Task for approval has to be viewed by Mark, and possibly Damon or Lilaupper management for approvals. Mark tends to comment on task, where Damon and Lilaupper management will likely email their approval back into task. or to Mark (who then forwards it into the task.)
* Once order is placed, the S4 #procurement task is assigned to the on-site tech to scan the packing slip.
* On-site receives in order, and resolves the task with relevant details and resolves. If there are issues, onsite notes issues and assigns back to Rob.
* P* S4 #procurement projectt task has to be able to directly email to task T###@phabricator.wikimedia.org
* P* S4 #procurement project taskt has to be locked down by view/read/edit/everything to ONLY #wmf-nda.WMF staff
* Any email attachments into task should automatically have security settings applied to ONLY be viewable to #wmf-nda.** We don't want to maintain a full staff list, (This is theso we'll include the ops team by default behavior)and then add others on a case by case basis.
* Volunteers shouldn't interact with the tasks, so #wmf-nda is required to ensure only the ones who signed an NDA can view. Unfortunately we don't keep a staff list in phab, so NDA is the tightest we can lock it down without managing a new group.
* ALL procurement tasks should have the Security drop-down set to 'other confidential issue'. The details on what this does are [[http://www.mediawiki.org/wiki/Phabricator/Security#Understanding_.27Security.27_Field_Transforms | here]]. Basically it will simply ensure we don't accidentally set the task to public or non-nda-viewable. As these are vendor quotes, this is mandatory.
I (@RobH) dislike that there are the two steps needed here, putting in procurement + the other issue selection in the drop down, but the only alternative I can think of is adding a 'procurement' in the security drop down. After chatting with @chasemp, he pointed out that doing that is a larger usability issue, and likely will result in some confusion. Since procurement is such a smallAny email attachments into task should automatically have security settings applied to ONLY be viewable to those who can view the task.
** This is confirmed now working, small subset ofas @chasemp updated our overall phabricator userbaseemailbot importing to have attachments owned by emailbot, it is better that we (myself and whoever else processes these) take that extra step rather than the alternative presentedonly viewable via the task they were imported from.
* ALL #procurement tasks should be placed into the S4 space, as they may include confidential pricing.
Task creation steps & tests :
[x] - generate a new S4 #procurement task & ensure its creation doesn't leak private info.
* T110566 was created in the S4 space without issue.
* T94507 was successfully created and has all proper permissions. When created, it was set with the 'other confidential issue' in the security drop down[x] - email an attachment into the task & ensure its attachment isn't viewable to anyone not in the NDA group.
[] - email an attachment into the task & ensure its attachment isn't viewable to anyone not in the NDA group.* After @chasemp's work on emailbot, T110566 now has emailbot imported files that are confirmed only visible via the task linking. (Direct linking fails.)
* currently failing, as[] - test if someone not a memer of the attachcl*procurement is not made private, but publicgroup can be assigned to S4 #procurement tasks.
[] - test if someone not a memer of wmf-nda can be added/subscribed/assigned to a procurement task (this tests the security drop down more than #procurement)* Cannot test until after we create the acl*operationsteam and acl*procurement groups.