Page MenuHomeMiraheze

Review rights global Sysadmin group has
Open, LowPublic


Because we don't do T&S anymore and there's no need for a lot of them.

Event Timeline

RhinosF1 triaged this task as Normal priority.May 9 2021, 16:18
RhinosF1 created this task.
RhinosF1 moved this task from Radar to Discussion on the Site Reliability Engineering board.
Reception123 lowered the priority of this task from Normal to Low.May 9 2021, 16:20

I'm not really sure much needs removed here. Most rights I see in are useful for sysadmins to have for debugging purposes. The only ones that may be good to remove are centralauth-rename and centralauth-usermerge but even those have been used for debugging before, but potentially could be removed and re-added as needed, though as long as system administrators never use on-wiki rights without authorisation or for debugging purposes they shouldn't be much of a problem. Just my thought-process here. Ultimately not up to me.

I was going to review most of them but indeed I do find that a lot of them are useful for debugging purposes (i.e. edit is very useful for debugging, delete too as there's issues with files being deleted, protect is useful to be able to see if changes made LS.php have worked properly). I think when I have time I'll try to review each right individually and see what there's really not a justification to keep. The two rights mentioned above indeed were only added for GDPR renames afaik and can be removed.

@Reception123: any progress on reviewing the rights? I do think this should be done so we don't have unnecessary ones.

I will shortly review each permission and see if we need them or not. For now adding the list here. Most of them are useful for error debugging and/or assisting users but we'll probably be able to get rid of some.

View log entries of abuse filters marked as private (abusefilter-log-private)
Create or modify abuse filters (abusefilter-modify)
Modify abuse filters with restricted actions (abusefilter-modify-restricted)
Revert all changes by a given abuse filter (abusefilter-revert)
View abuse filters (abusefilter-view)
View abuse filters marked as private (abusefilter-view-private)
Use higher limits in API queries (apihighlimits)
Automatically log in with an external user account (autocreateaccount)
Have one's own edits automatically marked as patrolled (autopatrol)
Delete pages with large histories (bigdelete)
Block other users from editing (block)
Block a user from sending email (blockemail)
Search deleted pages (browsearchive)
Lock or unlock global account (centralauth-lock)
Rename global accounts (centralauth-rename)
Globally merge multiple users (centralauth-usermerge)
Manage central notices (centralnotice-admin)
Administrate user-submitted comments (commentadmin)
Create new user accounts (createaccount)
Create pages (which are not discussion pages) (createpage)
Delete pages (delete)
delete-dump (delete-dump)
Delete a Cargo table (deletecargodata)
View deleted history entries, without their associated text (deletedhistory)
View deleted text and changes between deleted revisions (deletedtext)
Delete and undelete specific log entries (deletelogentry)
Delete and undelete specific revisions of pages (deleterevision)
Edit pages (edit)
Edit the content model of a page (editcontentmodel)
Edit incident reports (editincidents)
Edit the user interface (editinterface)
Edit your own preferences (editmyoptions)
Edit your own private data (e.g. email address, real name) (editmyprivateinfo)
Edit your own user CSS files (editmyusercss)
Edit your own user JavaScript files (editmyuserjs)
Edit your own user JSON files (editmyuserjson)
Edit your own watchlist (note that some actions will still add pages even without this right) (editmywatchlist)
Update other users' social profiles (editothersprofiles)
View and update private information (email address) in other users' social profiles (editothersprofiles-private)
Edit pages protected as "Allow only administrators" (editprotected)
Edit pages protected as "Allow only autoconfirmed users" (editsemiprotected)
Edit sitewide CSS (editsitecss)
Edit sitewide JavaScript (editsitejs)
Edit sitewide JSON (editsitejson)
Edit other users' CSS files (editusercss)
Edit other users' JavaScript files (edituserjs)
Edit other users' JSON files (edituserjson)
Create Structured Discussions boards in any location (flow-create-board)
generate-dump (generate-dump)
Generate random username hashes (generate-random-hash)
Edit membership to global groups (globalgroupmembership)
Manage global groups (globalgrouppermissions)
Import pages from other wikis (import)
Import pages from a file upload (importupload)
Edit interwiki data (interwiki)
Bypass IP blocks, auto-blocks and range blocks (ipblock-exempt)
Manage wiki settings (managewiki)
Manage default group permissions (managewiki-editdefault)
Manage restricted wiki settings (managewiki-restricted)
Edit multiple pages using a spreadsheet (multipageedit)
Manage OAuth consumers (mwoauthmanageconsumer)
Manage OAuth grants (mwoauthmanagemygrants)
Propose new OAuth consumers (mwoauthproposeconsumer)
Suppress OAuth consumers (mwoauthsuppress)
Update OAuth consumers you control (mwoauthupdateownconsumer)
View private OAuth data (mwoauthviewprivate)
View suppressed OAuth consumers (mwoauthviewsuppressed)
Register newsletters (newsletter-create)
Delete newsletters (newsletter-delete)
Add or remove publishers or subscribers from newsletters (newsletter-manage)
Restore a newsletter (newsletter-restore)
Not be affected by rate limits (noratelimit)
Mass delete pages (nuke)
Query and validate OATH information for self and others (oathauth-api-all)
Disable two-factor authentication for a user (oathauth-disable-for-user)
Enable two-factor authentication (oathauth-enable)
Mark others' edits as patrolled (patrol)
View recent changes patrol marks (patrolmarks)
Limit actions that can be performed for some groups for a limited time (protectsite)
Read pages (read)
Recreate data contained in Cargo tables (recreatecargodata)
Quickly rollback the edits of the last user who edited a particular page (rollback)
Run arbitrary Cargo queries (runcargoqueries)
Perform CAPTCHA-triggering actions without having to go through the CAPTCHA (skipcaptcha)
View the spam blacklist log (spamblacklistlog)
Override the title or username blacklist (tboverride)
Override the username blacklist (tboverride-account)
View title blacklist log (titleblacklistlog)
Bypass automatic blocks of Tor exit nodes (torunblocked)
Unblock oneself (unblockself)
Undelete a page (undelete)
Update edit counts (updatepoints)
Upload files (upload)
Upload files from a URL (upload_by_url)
Merge users (usermerge)
view-dump (view-dump)
View global files filtered from private wikis (viewglobalprivatefiles)
View incident reports (viewincidents)
View your own private data (e.g. email address, real name) (viewmyprivateinfo)
View your own watchlist (viewmywatchlist)
Use of the write API (writeapi)