Page MenuHomePhabricator

Limited access groups
Closed, ResolvedPublic

Asked by seporaitis on Jun 20 2014, 2:58 PM.


Use case: I need to give a group of people (contractors) access to:

  • single repository (managed by Github) in Diffusion;
  • single project with its Maniphest tasks;
  • be able to create Differential revisions.

I wonder if this can be quickly achieved with current policy infrastructure and if so - where should one start?


Updated 3,450 Days Ago

This is the primary use case covered by T5422. There's no easy way to do it right now.

Updated 3,037 Days Ago

We solve this usecase by using Spaces:

Precondition: We have a Project (e.g. #employees) containing all employees.

For every group of project we do with externals (e.g. contractors), we do:

  1. Create a Project containing the contractors (e.g. #contractors)
  2. Create a Space that has Visible-To set to #employees and #contractors
  3. Stuff all Maniphest task, etc. into the new Space

For projects which shall be kept secret from other #employees, we follow a different approach:

  1. Create a Project containing the contractors and employees working on it
  2. Create a Space taht has Visible-To set to this Project only

Please do not confuse Project for ACL-purposes (which is what I mean here) with Project, as in a goal or a piece of software. A Space using an ACL-style Project in Visible-To can span multiple of the other kind of Projects.

Beware that:

  1. Your contractors will be able to get a list of all user accounts on your instance. This can be somewhat mitigated by T9021: Put User accounts in Spaces so some users can not see one another (see my patch in the comments).
  2. Employees might easily forget to put a task into a space, leaving it inaccessible to the contractors. There is an UI simplification planned (T8442: Build Space switching UI) and I wrote a crude patch (P1834) to make life easier for our users, until T8442 is implemented.

New Answer


This question has been marked as closed, but you can still leave a new answer.