Explicit repo permissions for Sourcegraph organizations (as well as users)

[dadlerj]

Requested by https://app.hubspot.com/contacts/2762526/company/554338610

They were wondering if there was a way to enforce permissions at the group level (so they could add/remove people from groups to control access). We don't offer this, as far as I know (and I worry about the fact that Sourcegraph org members are allowed to add/remove others? I'm not sure if orgs have the proper security around them), so I assume this would require new development.

Curious what you think about this proposal @unknwon, and how difficult it would be to support? Not high priority yet, but wanted to get on your radar.

[unknwon]

They were wondering if there was a way to enforce permissions at the group level (so they could add/remove people from groups to control access).

Could they be more specific? Currently we don't have relations between repositories and Sourcegraph organizations, thus how/where do we define the set of repositories they want to enforce permissions?

Sounds like they should just be able to use permissions API which let them define what access control to each repository is.

I worry about the fact that Sourcegraph org members are allowed to add/remove others? I'm not sure if orgs have the proper security around them

Yes right now the Sourcegraph org authz model isn't "secure" at all, everyone is an org admin 😅

[dadlerj]

Could they be more specific? Currently we don't have relations between repositories and Sourcegraph organizations, thus how/where do we define the set of repositories they want to enforce permissions?

👍 yeah that's what I thought

Yes right now the Sourcegraph org authz model isn't "secure" at all, everyone is an org admin 😅

And again, that's what I feared

Sounds like they should just be able to use permissions API which let them define what access control to each repository is.

Yes, this was our recommendation, but I think there were hoping for a more lightweight way to do this (perhaps in the UI) for testing purposes. I think they'll end up using this in the long-term though.

[unknwon]

..., but I think there were hoping for a more lightweight way to do this (perhaps in the UI) for testing purposes.

Having UI for permissions API feels align with the long-term goal/wish of it, though it is a non-trivial project for design though.

[ElizabethStirling]

I'd like to weigh in on this - I think this kind of permissions infrastructure could be very important for securing code on cloud. Most obvious concern is that nobody but Sourcegraph employees could be site admins, since site admins could reset the password of any arbitrary user, sign in as them, and completely compromise any other organization's private code. I think we should be having a discussion around RBAC, since it seems to be something our customers want, and something that would be an enabler for cloud security.

[github-actions]

Heads up @tsenart - the "team/cloud" label was applied to this issue.

[tsenart]

cc @ryanslade Is this covered by upcoming org work for Cloud?

[ryanslade]

We are only planning on adding the idea of an org admin. Org admins are members of an org who can:

Add / remove members
Add code host connections
Promote other members to org admin