Use case: I need to give a group of people (contractors) access to:
- single repository (managed by Github) in Diffusion;
- single project with its Maniphest tasks;
- be able to create Differential revisions.
I wonder if this can be quickly achieved with current policy infrastructure and if so - where should one start?
We solve this usecase by using Spaces:
Precondition: We have a Project (e.g. #employees) containing all employees.
For every group of project we do with externals (e.g. contractors), we do:
- Create a Project containing the contractors (e.g. #contractors)
- Create a Space that has Visible-To set to #employees and #contractors
- Stuff all Maniphest task, etc. into the new Space
For projects which shall be kept secret from other #employees, we follow a different approach:
- Create a Project containing the contractors and employees working on it
- Create a Space taht has Visible-To set to this Project only
Please do not confuse Project for ACL-purposes (which is what I mean here) with Project, as in a goal or a piece of software. A Space using an ACL-style Project in Visible-To can span multiple of the other kind of Projects.
- Your contractors will be able to get a list of all user accounts on your instance. This can be somewhat mitigated by T9021: Put User accounts in Spaces so some users can not see one another (see my patch in the comments).
- Employees might easily forget to put a task into a space, leaving it inaccessible to the contractors. There is an UI simplification planned (T8442: Build Space switching UI) and I wrote a crude patch (P1834) to make life easier for our users, until T8442 is implemented.