Changeset View
Changeset View
Standalone View
Standalone View
src/docs/user/userguide/unlocking.diviner
- This file was added.
@title User Guide: Unlocking Objects | |||||
@group userguide | |||||
Explains how to access locked or invisible objects and accounts. | |||||
Overview | |||||
======== | |||||
Phabricator tries to make it difficult for users to lock themselves out of | |||||
things, but you can occasionally end up in situations where no one has access | |||||
to an object that you need access to. | |||||
For example, sometimes the only user who had edit permission for something has | |||||
left the organization, or you configured a "Phase of the Moon" policy rule and | |||||
the stars aren't currently aligned. | |||||
You can use various CLI tools to unlock objects and accounts if you need to | |||||
regain access. | |||||
Unlocking Accounts | |||||
================== | |||||
If you need to regain access to an object, the easiest approach is usually to | |||||
recover access to the account which owns it, then change the object policies | |||||
to be more open using the web UI. | |||||
For example, if an important task was accidentally locked so that only a user | |||||
who is currently on vacation can edit it, you can log in as that user and | |||||
change the edit policy to something more permissive. | |||||
To regain access to an account: | |||||
``` | |||||
$ ./bin/auth recover <username> | |||||
``` | |||||
If the account you're recovering access to has MFA or other session prompts, | |||||
use the `--force-full-session` to bypass them: | |||||
``` | |||||
$ ./bin/auth recover <username> --force-full-session | |||||
``` | |||||
In either case, the command will give you a link you a one-time link you can | |||||
use to access the account from the web UI. From there, you can open up objects | |||||
or change settings. | |||||
Unlocking MFA | |||||
============= | |||||
You can completely strip MFA from a user account with: | |||||
``` | |||||
$ ./bin/auth strip --user <username> ... | |||||
``` | |||||
For detailed help on managing and stripping MFA, see the instructions in | |||||
@{article:User Guide: Multi-Factor Authentication} | |||||
Unlocking Objects | |||||
================= | |||||
If you aren't sure who owns an object, or no user account has access to an | |||||
object, you can directly change object policies from the CLI: | |||||
``` | |||||
$ ./bin/policy unlock <object> [--view ...] [--edit ...] [--owner ...] | |||||
``` | |||||
To identify the object you want to unlock, you can specify an object name (like | |||||
`T123`) or a PHID as the `<object>` parameter. | |||||
Use the `--view` and `--edit` flags (and, for some objects, the `--owner` | |||||
flag) to specify new policies for the object. | |||||
For example, to make task `T123` editable by user `@alice`, run: | |||||
``` | |||||
$ ./bin/policy unlock T123 --edit alice | |||||
``` | |||||
Not every object has mutable view and edit policies, and not every object has | |||||
an owner, so each flag only works on some types of objects. | |||||
From here, you can log in to the web UI and change the relevant policies to | |||||
whatever you want to set them to. | |||||
No Enabled Users | |||||
================ | |||||
If you accidentally disabled all administrator accounts, you can enable a | |||||
disabled account from the CLI like this: | |||||
``` | |||||
$ ./bin/user enable --user <username> | |||||
``` | |||||
From here, recover the account or log in normally. | |||||
No Administrators | |||||
================= | |||||
If you accidentally deleted all the administrator accounts, you can empower | |||||
a user as an administrator from the CLI like this: | |||||
``` | |||||
$ ./bin/user empower --user <username> | |||||
``` | |||||
This will upgrade the user account from a regular account to an administrator | |||||
account. |