Restrict access to projects, add users to spaces

Dear all,

I tried finding something here and also on secure.phabricator.com about my question, which is:

How can I restrict access to projects to certain users?

I created spaces but cannot see how to add a proejct to a space. And also adding a user to a space I could not find out how to do.

Any help would be apreciated.

Best
Karin

You can set the visibility of the project by editing it, but it might not do what you want it to do - see https://secure.phabricator.com/book/phabricator/article/projects/ for details.

Hi avivey,

Thanks for your feedback.
In deed, the link you sent I had already studied before. I have also studied many other pages of the user guide about how Policies work in Phabricator. But none of them provided insight on how to limit visibility of a project.

I tried finding something in Phabricator itself,e.g. Managing a project: There is no setting relating to visbility or relating to Spaces.

So it seems that it is not possible to limit visibility & access to a project? I wonder how to use Phabricator with different customers - each customer should only have access to his own project and not see the other projects…

Cheers
Karin

Sounds like what you’re looking for is Spaces - assign each task and object to a space, and assign users to their spaces.

This use-case is explicitly mentioned in https://secure.phabricator.com/book/phabricator/article/spaces/ - use spaces to separate clients from one another.
You can use custom forms to set the Space of new tasks to the right value.

There certainly is a setting relating to visibility in the Project settings, but you are correct that there is no support for Spaces in Projects.

If you set Projects to joinable by “No One”,and visible to “Project Members”, you can control visibility by assigning people yourself (or anyone that is given editable by rights).

That sounds like a plan, thanks!

If I may, there is one more question, which is very important: What about the tasks which are created within a project. Currently everybody can see every task, even whent he project within which the task is created has limited visibility to Project Members, only. Is there a way, to achieve the following: When a task is linked to a project, which has limited visiblity to Project Members, than this task should also have limited visibility onyl to PMs? (I did not find a way in the manuals/help of Phabricator about that.)

I did find that when I create a task, I cen limitits visibitlity (see image below) but that of course should not be done by the user (he would see all other projects/spaces) and thats very bad, too).

Projects don’t imply visibility, and tasks are not “within a project” but are “tagged with a project”.
The right tools for this is Spaces.
I think you can create Custom Forms that lock the visibility to certain spaces, and only allow users to use these forms to create tasks. Each form will be available only to the users that are allowed to view the relevant space.

I wrestled with this a lot when initially setting our Phabricator instance. I have to say that the access controls are a little “all over the place”.

  • Spaces cover most of the stuff, but not all, and it’s not immediately clear why for example projects are not covered by them.
  • Projects DO have access control with visibilities, but since they don’t use Spaces, one needs to setup “access control list projects” which can be used to manage access in a somewhat central way, and then make sure those are used for each project.
  • Wiki doesn’t support Spaces either, so one needs to setup the “ACL projects” access control also there.
  • As far as I know, wiki editing doesn’t even use Forms like project creation/editing uses, so with wikis the handling is yet different from projects on higher level, i.e. setting up the document trees so that all parent documents have proper access rights. And hope that your users use the access controls properly when creating new wiki documents…
  • As icing on the cake, Differential Revision do not support Spaces. Upon further inspection, hey, they actually don’t need to, because they apparently inherit the access properties of their linked repositories. While not as bad a problem as the others, this is yet another confusion to my poor users if they stumble upon this.

With all that set up, it seems that our access controls work as they should, but boy is it a pain to set that up. Just having everything support spaces would be needed to call Phabricator’s access controls “production ready”, in my humble opinion. There’s much too much manual fiddling with the different parts now, making the process too error-prone by a mile.

1 Like

I have the exact same challenge. This is almost so bad that we have to reconsider this product. Multiple contributors within Wiki, and this is doomed to fail, and cause errors. Must be something someone will improve. Thanks

GT