==== Background= ===
* A long time ago in `T1051` and `T84994` we created the Phabricator projects #WMF-NDA and #WMF-NDA-Requests.
* Membership in #WMF-NDA allows accessing restricted Phab tickets that require an NDA with WMF in place.
* #WMF-NDA-Requests is for requesting membership in #WMF-NDA which is currently a manual process.
* This process (actually one for WMF staff, and another one for "non-staff" covered on [wikitech:Volunteer_NDA](https://wikitech.wikimedia.org/wiki/Volunteer_NDA) which makes you wonder which one would apply to chapter staff) is described on https://phabricator.wikimedia.org/project/profile/61/ .
[For the last 9 years it has been fine to assume that new WMF staff is under an NDA](https://office.wikimedia.org/w/index.php?title=Topic:U72izrslygvlenos&topic_showPostId=u74hv9lsmyzujypu#flow-post-u74hv9lsmyzujypu), however in my understanding adding new staff to the `ldap/wmf` LDAP group and to the #WMF-NDA Phab project cannot be part of the WMF onboarding process itself, as new staff first themselves need to create their developer/LDAP user account (and their Phab user account), while WMF ITS' onboarding only includes creating a SUL user account for new staff.
==== Situation ====
Currently, manually processing #WMF-NDA Phab project membership requests under #WMF-NDA-Requests requires:
* checking the mediawiki.org SUL account that the Phabricator account is linked against on the Phab user profile of the requester
* checking https://www.mediawiki.org/wiki/Special:CentralAuth on which exact wiki site that SUL user account was created, and
* checking `Special:Log` on that exact wiki site if the SUL user account was created by a staff account that is/was a WMF ITS member (I'm dropping the chain of trust at this stage)
* sometimes asking requesters to first [link also their SUL user account to their Phab user account](https://www.mediawiki.org/wiki/Phabricator/Help#Using_your_Wikimedia_developer_account) if they used their developer/LDAP user account to create their Phab user account, and in rare cases request to connect their WMF ITS created SUL staff user account to their Phab user account instead of a self-created SUL non-staff user account.
This is a bit cumbersome for all involved parties (requester having to file two separate tickets; one person to add to ldap/wmf and another person to add to #WMF-NDA while this could be done by the same person).
//(For completeness: Alternatively I //assume// that checking the developer/LDAP user account linked to a Phab user account and then checking their membership in `ldap/wmf` is somehow possible and that I might not be aware. https://ldap.toolforge.org/user/aklapper allows lookup of the wikitech.wikimedia.org wiki user name for a given shell user name only, but not the other way round which would be the case here, to then check https://ldap.toolforge.org/group/wmf )//
==== Proposal ====
When a staff member uses their Phabricator account to file a request under #ldap-access-requests to become a member of the `ldap/wmf` LDAP group, this staff member's Phabricator account should also get added as a member to #WMF-NDA.
This action obviously requires edit permissions, and SRE folks should have them: According to the Edit policy of #WMF-NDA at https://phabricator.wikimedia.org/project/edit/61/ , currently [members of](https://phabricator.wikimedia.org/project/members/29/) #acl_sre-team, `@eross`, `@bcampbell`, `@eliza`, `@offboarding`, and [Phab administrators](https://phabricator.wikimedia.org/people/query/DktdoFyuGYMN/#R) can edit members of #WMF-NDA.
If this workflow was implemented, it should probably be documented at https://wikitech.wikimedia.org/wiki/SRE/Clinic_Duty#Review_incoming_tasks .
Also on https://phabricator.wikimedia.org/project/manage/1564/ the link to https://wikitech.wikimedia.org/wiki/SRE_Clinic_Duty#LDAP_group_changes should be updated (as there is no such anchor).
See also non-public T289552 for a slightly related discussion.