Herald: Policy setting to allow users to view but only admin to create/edit?

Is there currently a way to allow users to view Herald rules, but not create new ones nor edit existing? I was looking through policy settings, but didn’t see such an option. It seemed “use app” was view/create/edit permission. Did I miss it? Thanks!

Why: We have a fluctuating user base, and when someone leaves, admins don’t have an easy way to commandeer / disable personal herald rules. I have previously tried going into the DB and changing ruleType to “global”, but I’m not sure if that can break anything? (It does seem to let me edit it as an administrator though.)

Is there currently a way to allow users to view Herald rules, but not create new ones nor edit existing?

Not currently.

…admins don’t have an easy way to commandeer / disable personal herald rules.

Disabling a user’s account disables their personal rules.

Also, as of the most recent stable release, operators can disable a rule with:

phabricator/ $ ./bin/herald rule --disable --rule H123

This requires CLI access and the driving use case is intervening to temporarily disable rules which are causing some sort of active problem (e.g., because they contain a poorly written regex which is backtracking explosively), but this might be a useful tool in managing rules more generally.

Great, both those options will serve my needs!

Do you think there is any danger in what I did with going into the DB and changing ruleType to “global” for some rules (from “personal”)?

This isn’t ideal, but is unlikely to cause any problems.

Personal and Global rules have different actions available (for example, Personal rules can “Send me an email”, but Global rules “Send an email to: …”), so turning a Personal rule into a Global rule can create an “impossible” rule: a rule with actions which can not normally be selected. I don’t think this will cause any actual problems, though, beyond possible confusion.

Ok. That makes sense. I’ll be aware to update any “me” rules if/when I use this method. Hopefully I won’t need to use this method in production though. (I’m doing all this work on our staging server to check out all the changes that accumulated over the course of the year, and find out what I’ll need to do to deploy the production server.) Thanks again!