User:AKlapper (WMF)/BugzillaAdminPolicy

Note: This is a draft.

This document is meant to be a base for guidelines when to hand out Bugzilla administrator rights.

Incentive
Some users in bugzilla.wikimedia.org have administrator rights and hence more powers than other users. Without guidelines why a user is an administrator, this can create mistrust. Furthermore, having a large number of administrators can create coordination issues.

Guideline
When none of the tasks listed below under "Tasks which require being an administrator" are to be executed by a specific Bugzilla user, handing out a combination of other, more specific Bugzilla group memberships should be done instead of handing out admin and/or editusers group membership. This also helps avoiding a large number of Bugzilla administrators and related coordination issues.

If admin group membership is handed out to individuals who are not employees of the Wikimedia Foundation it is required to sign an NDA first, due to legal requirements (e.g. access to security bugs).

Bugzilla in general
Membership in the Bugzilla admin group is required for the following general tasks:
 * viewing the generated SQL query by using the &debug=1 URL parameter
 * deleting attachments (instead of just marking them as private)
 * editing Bugzilla field values (as there is an 'admin' check in editvalues)
 * editing the bug status workflow
 * editing (or banning/blocking) Bugzilla accounts, e.g. in case of violations against the code of conduct policy (this is inherited from editusers group membership: editusers group membership de facto means admin group membership, as an account with editusers group membership can edit his/her account and set admin group membership.)

The list above is not necessarily complete. (Thanks to Byran Jones (:glob) for input.)

Specific Wikimedia Bugzilla configuration

 * Accessing comments and attachments marked as private requires membership in the insidergroup group. The insidergroup group is currently set to the admin group.

Areas to ignore for Wikimedia Bugzilla
Further areas that needed investigation and turned out to be no problems in case of Wikimedia Bugzilla. Just here for documentational purposes.


 * Inherited Groups: Though Wikimedia Bugzilla does not use the default automatic group membership inclusions (groups that the admin group is a member of) tweakparams, editusers, creategroups, editcomponents, editkeywords for admin, the current configuration (inherited group membership and membership via regexes) creates no further complications.
 * The chartgroup is also unaffected in case of Wikimedia Bugzilla. By default it is set to the admin group in upstream Bugzilla, but in the current Wikimedia Bugzilla configuration (2013/04/19) it is set to editbugs.

Related Bugzilla queries
Accessing these links might require specific Bugzilla group memberships.


 * Bugzilla users with admin group membership
 * Bugzilla users with editusers group membership