Restrict who can create batch changes (needs RBAC)

[malomarrec]

Problem statement

Some of our customers operate in regulated industries and have compliance requirements to limit access to creating batch changes to only some users.

Problem validation / why

Our initial reaction to this request was that :

• Permission issue: Batch Changes, when set up properly, map code hosts permissions and do not give more access to users than they already have without batch changes.
• PR spam issue: any developer can script out opening many changesets

We have verified that this was clear to those customers and confirmed that they still need to control access to batch changes to meet compliance goals. The customer's perception is that enabling developers to access a tool that makes it easier to automate creating many changesets increases risk and creates a compliance issue.

Other concerns

We were initially concerned that this could slow down adoption and have a business impact. This was mitigated by making sure all users can view batch changes, and only creating batch changes is optionally restricted.

Customers

The customers are currently blocked:

• https://github.com/sourcegraph/accounts/issues/579
• https://github.com/sourcegraph/accounts/issues/1
• https://github.com/sourcegraph/accounts/issues/3
• https://github.com/sourcegraph/accounts/issues/8613

There's no way we're going to give x,000 engineers the ability to deploy changes across all our repositories

• https://github.com/sourcegraph/accounts/issues/8243
  Also see product gap.

Solution

MVP:

• Allow site-admins to optionally whitelist who can create batch changes. If a restrictBatchChangesAccess is set with a list of allowListed users, then creating Batch Changes is restricted to those users. What does that mean:
  • Running a preview with src-cli gives an error message Creating batch changes has been restricted to some users only, you should contact your admin to get access.
  • The create batch change button is disabled with an infobox and the same message
  • The Create batch change button on the search page is hidden (as well as any other buttons that prompt to create batch changes from another context)
  • All bulk actions / any edit action are disabled
  • The Batch Changes dashboard and batch change page are still visible, as well as non-edit src batch commands

[malomarrec]

Update: the IAM team is focusing on repo permissions this quarter, and not on RBAC building blocks. This is likely to be postponed until they get back to RBAC.

[malomarrec]

We've now reached a critical mass of requests on this issue. I think we can start designing it after 4.0, but implementation still depends on user management / RBAC being available or at least scoped out in order to avoid creating an inconsistent / unmaintainable admin experience.

[chrispine]

sounds like P2?

[malomarrec]

I'd say that the one thing we can work on this sprint, except the scope for 4.0 and current priorities.

[chrispine]

After scoping, we should create another ticket with the agreed-upon actual work

[malomarrec]

@chrispine should this be assigned to someone?

[chrispine]

@malomarrec I don't think anyone has capacity to do it this sprint, and it will get assigned to someone in the next sprint. If we want to move it into this sprint, we need to move something else out. But with vacation/conference/Lattice, we are already stretched pretty thin this sprint.

[chrispine]

assigned this to myself, as we need to decide what the priority of RBAC is and how that fits into strategic-readiness

[chrispine]

Path forward:

• We enumerate the BC team's needs for (some part of) RBAC
• We set up a meeting with Petri and Raf G (and/or start an RFC) to determine a general direction as well as which parts of this the BC team will work on
• We break down and estimate (roughly) what kind of investment we're talking about, and prioritize accordingly