We are trying to delegate the management of access to our Phabricator install, so I create an "access" project and set the People application so that members of this project can create new (non-bot) accounts. I then realized, however, that this permission does not allow re-enabling disable accounts. We had an intern who left for a while and then came back, and members of the "access" project could not re-enable this access.
Description
Description
Event Timeline
Comment Actions
I'd rather not. We have a lot of staff who manage access and most of them I don't want poking around as an admin.
Comment Actions
A couple of things offhand:
- ability to modify configuration
- ability to install/uninstall applications
- ability to change policies
Mostly its probably more so that I don't want people fiddling with things that they don't understand.l rather than any specific security concerns. This is possibly more of a cultural problem than a technical one.
Comment Actions
It sounds like we could possibly resolve this by letting you change application edit policies instead, which I intend to do eventually. That said, I don't think adding an enable/disable policy is necessarily unreasonable, and it's generally in the vein of other similar policies.