Open Bug 1762185 Opened 3 years ago Updated 1 year ago

update auditgroups to support additional email domains

Categories

(Socorro :: General, task, P2)

Product:
Socorro
Component:
General
Type:
task

Tracking

(Not tracked)

People

(Reporter: willkg, Unassigned)

References

(Blocks 1 open bug)

Details

The protected data access policy requires that users be a Mozilla Corporation employee. One of the ways we implemented that was by requiring the LDAP account to end in "@mozilla.com".

In bug #1762181, we're changing the protected data access policy to allow for employees from Mozilla Corporation as well as Mozilla Foundation and subsidiaries.

This covers adding those additional domains to auditgroups. I think we can just add "mozillafoundation.com" and "thunderbird.net", but I'm not sure. Are there people who can log in using these email address domains who aren't employees? Maybe we need additional work to be done here?

(In reply to Will Kahn-Greene [:willkg] ET needinfo? me from comment #0)

This covers adding those additional domains to auditgroups. I think we can just add "mozillafoundation.com" and "thunderbird.net", but I'm not sure. Are there people who can log in using these email address domains who aren't employees? Maybe we need additional work to be done here?

I can't speak for mozillafoundation.org, but for thunderbird.net at least, only employees + Council members have access. So the only issue might be Council members. They do sign a specific Mozilla NDA, and in fact have more access to certain types of company information than a typical employee does in some ways. I can ask Feldman whether they're already covered by existing data sharing agreements or not.

That's good to know. This might be more involved, then. It dovetails with other work I've been mulling over, too.

Andrei: Do you know if Thunderbird employees are listed in phonebook or somewhere else that's automatically maintained?

An update on this... We're going to wait until Thunderbird employees are in LDAP to do any work here. It's possible that the way auditgroups works now needs to get changed.

For now, we'll do something along these lines:

  1. Person submits a protected data access grant request via bugzilla
  2. Will gets the access ok'd by Andrei or someone like that
  3. Will gives access using the exception mechanism in the Crash Stats admin

We'll revisit this bug in a few months when things are more settled.

I think everyone is now in ldap

You need to log in before you can comment on or make changes to this bug.