OBOFoundry.github.io icon indicating copy to clipboard operation
OBOFoundry.github.io copied to clipboard
verified publisher icon OBOFoundry

Rework GitHub Team membership and permissions

Open jamesaoverton opened this issue 4 years ago • 15 comments

I would like to reorganize our GitHub Teams and permissions with the primary goal of reducing the number of people with Admin permissions for our repositories, and giving everyone else just the permissions that they need (and are currently using).

We talked about this on yesterday's OBO Foundry Operations Committee (OFOC) call, and had unanimous agreement in principle. I'll spell out the details of my proposal here, and we'll try to get final approval on the next OFOC call in two weeks. Unfortunately it's a bit complex, but I'll do my best to be clear.

GitHub has two tiers of permissions, Organization and Repository, and a few permission levels within each:

  • Organization (https://github.com/OBOFoundry)
    • Levels
      • Member
      • Owner
    • Documentation: https://docs.github.com/en/free-pro-team@latest/github/setting-up-and-managing-organizations-and-teams/permission-levels-for-an-organization
  • Repository (e.g. https://github.com/OBOFoundry/OBOFoundry.github.io)
    • Levels
      • Read
      • Triage
      • Write
      • Maintain
      • Admin
    • Documentation: https://docs.github.com/en/free-pro-team@latest/github/setting-up-and-managing-organizations-and-teams/repository-permission-levels-for-an-organization

The key concern is that anyone with Owner or Admin permissions can accidentally delete our repositories. While it's possible to recover the main repository contents, it turns out that a lot of other important information cannot be recovered. A secondary concern is that our current Teams are not well organized or described:

https://github.com/orgs/OBOFoundry/teams

When we migrated to GitHub about six years ago, the permission levels provided were quite coarse. At that time we made a long list of Owners and added all the members of the OBO Foundry Operations Committee to the "OBO-Admin" GitHub Team, and gave that team Admin permissions on all our repositories. That team now has more than 20 members. Many of those people may not realize that they have Admin permissions.

These lists are not public, but if you are on the list and logged in to GitHub you'll be able to see your name:

  • Owners: https://github.com/orgs/OBOFoundry/people?query=role%3Aowner
  • OBO-Admin: https://github.com/orgs/OBOFoundry/teams/obo-admin/members

Since that time, GitHub has implemented a range of more fine-grained permissions, and we've learned more about what permissions people actually need in practise.

I propose these three GitHub Teams:

  • OBO Admin
    • description: A small group of active Operations Committee members who have multiple years of in-depth experience with OBO and GitHub
    • organization permissions: Owner
    • repository permissions: Admin
    • in consultation with Chris Mungall, I propose these members: @balhoff @beckyjackson @cmungall @jamesaoverton @kltm @matentzn
    • I propose to use the existing OBO-Admin Team but change its membership
  • OBO Foundry Operations Committee
    • description: All current members of the OBO Foundry Operations Committee
    • organization permissions: Member
    • repository permissions: Write
  • OBO Community:
    • description: Anyone with current responsibility for maintaining the registry or PURL entries for an OBO project, or who needs to be assigned an issue. Everyone listed as a "contact" for a project in the OBO Registry should be on this list, but this is not limited to project contacts.
    • organization permissions: Member
    • repository permissions: Read -- includes creating issues and Pull Requests
    • review: we should review this list every year or two
  • public access (no team membership)
    • description: anyone logged in to GitHub
    • organization permissions: None
    • repository permissions: Read -- includes creating issues and Pull Requests

I'd like to get rid of the legacy Teams to keep the lists better organized, but that will break previous "@" mentions.

I think that the changes I'm proposing won't actually impact anybody's daily work. They're just supposed to make us a bit safer from accidents, and make permissions a bit more clear. But I admit that it's a bit complicated, and I may have overlooked something. Feedback is appreciated.

jamesaoverton avatar Jan 13 '21 19:01 jamesaoverton

I like this very much!

matentzn avatar Jan 13 '21 20:01 matentzn

This sounds great!

nlharris avatar Jan 14 '21 16:01 nlharris

agreed. It's complex but you made it very clear. I agree with the proposal and have no suggestions for modifications.

(I'm going to bookmark this ticket and use it as exemplar for any other large github orgs)

On Thu, Jan 14, 2021 at 8:46 AM Nomi Harris [email protected] wrote:

This sounds great!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OBOFoundry/OBOFoundry.github.io/issues/1404#issuecomment-760318692, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAMMOMS3Q36RMEKIQXKHMTSZ4NV3ANCNFSM4WBKWLFA .

cmungall avatar Jan 17 '21 02:01 cmungall

Does anything further need to be done to approve this, or can James go ahead and implement this?

nlharris avatar Feb 14 '21 23:02 nlharris

We had a preliminary discussion on an Operations call, then I worked through the details here. Some of the details are different from what I said on the call. I would like to review this once more on an Operations call before implementing. Unfortunately we've had a long gap between calls.

jamesaoverton avatar Feb 15 '21 13:02 jamesaoverton

Sounds great!

yongqunh avatar Feb 15 '21 15:02 yongqunh

@jamesaoverton should we put this on the agenda for tomorrow?

nlharris avatar Feb 22 '21 20:02 nlharris

Yes, I'll be happy to talk about it tomorrow. Thanks.

jamesaoverton avatar Feb 22 '21 20:02 jamesaoverton

Discussed on the OFOC call 2021-02-23: There was support for this plan and no objections. I will move ahead with this when I have time.

jamesaoverton avatar Feb 23 '21 17:02 jamesaoverton

@jamesaoverton I would love the ability to assign issues to @matentzn 😁 Are you planning on circling back on this soon?

cthoyt avatar Jun 07 '21 20:06 cthoyt

Sorry, this issue will take me a few uninterrupted hours, and those are rare. As a short-term measure I gave @matentzn Write permissions and @cthoyt Triage permissions.

jamesaoverton avatar Jun 09 '21 19:06 jamesaoverton

I haven't made the time to do this properly, but I took two steps:

  1. I created a new "OBO Foundry Operations Committed" team. All current members should be on this team, and gotten invitations just now. I gave this team Write permissions on this repo.

That involved a bunch of copy-pasting. I might have made mistakes. @nlharris or @nicolevasilevsky would you mind cross-checking those Team members against the list http://obofoundry.org/docs/Membership.html. Or do we have a more official list somewhere?

  1. I removed most people from the old OBO Admin team. Only these six remain: @balhoff @beckyjackson @cmungall @jamesaoverton @kltm @matentzn. This team has Admin rights on this repo.

jamesaoverton avatar Nov 18 '21 15:11 jamesaoverton

Very nice, thanks a lot of cleaning up!

matentzn avatar Nov 18 '21 17:11 matentzn

In a recent discussion, we noticed that there are still many more owners than there should be. The current proposal is that only the OBO Admin team should be owners.

jamesaoverton avatar Oct 18 '22 16:10 jamesaoverton

That involved a bunch of copy-pasting. I might have made mistakes. @nlharris or @nicolevasilevsky would you mind cross-checking those Team members against the list http://obofoundry.org/docs/Membership.html. Or do we have a more official list somewhere?

I think I missed this (almost a year ago). @jamesaoverton would you still like help with this?

nicolevasilevsky avatar Oct 18 '22 21:10 nicolevasilevsky