Hi all, my organisation is looking at using Phabricator as an internal centrally managed service which will then allow teams within the company to request their own instance or area. To the teams they wouldn't know that they're on a shared instance. If I understand correctly this can be done and is managed via the Spaces feature? I've had a look on the demo instances and the User guide, can someone confirm if this would be the correct process to do so:
- There would be one or more Administrators who would manage the entire instance of Phabricator
- When a new team (team1) requests an area an admin needs to create a project (group) containing the requesting user.
- Then the admin will create a Space "team1_space" that is: Visible to Admins and Editable by "members of project team1"
- Now whatever that user creates is only seen by users within their own space "team1_space" (and the Admins).
- This process is repeated for each requesting team.
With the above:
- What happens when a new member joins my team now? Can I add them directly into that team1 project or do I need an admin to add them? Where do they go after filling in the register with LDAP page?
- Does each space have the concept of Admins?
Sorry if I've completely misunderstood what Spaces is doing here.
This guide should have most of the information you ask about:
I've used Spaces to manage groups allowing them to work exclusively without access to eachother's data. To answer your two questions above:
When a new account is created is not added to any existing groups by default. This means they would not have access to view objects in any space. The account would need to be added to the "team1_space" project. When the admin creates this project (and associates it to the respective space) they should give the creator both View and Edit policies, which allows them to effectively manage access to that space. There is not concept of a Space Admin, but this should be effectively the same thing. The Phabricator administrator should no longer be required to manage membership.
Because new accounts will default to not being a member of any project it may be beneficial to set up a default globally-accessible project and space which consists of only a dashboard. The dashboard would be the first thing a user sees after registering and logging in, and would need to have generic links or information about what to do next (contact the group admin so they can be added).
As of now I don't believe there's any way to automatically manage group membership upon registration or sync memberships based on LDAP. That is a new feature described under T3980. It's an older task which is unlikely to be addressed soon. If this a highly desired feature you can discuss with Phacility regarding Paid Prioritization.