Authorization Group

Planning

Our Planning issues are the SSOT of what we’re working on now, and what we’re working on next. We also have an issue board to view these from a workflow perspective. To maintain the issue lists leadership (EM+PM) will keep the lists triaged.

Label Definition
~workflow::ready for development Ready to be picked up by an engineer. ~priority::1 being the highest priority.
~workflow::scheduling or lacking a ~workflow label Shouldn’t be picked up by an engineer and needs to be triaged by leadership. If leadership has no intention on this work being done anytime soon, they should assign the ~Backlog milestone.
~workflow::refinement Needs further investigation by engineering. After refininement, an issue should have a weight assigned and the workflow label should be updated to ~workflow::scheduling
~workflow::solution validation Needs Product input before work can begin
~workflow::design Needs design input to proceed and/or is actively being worked on by UX

Code Review

Because this group works on components of the application that have a far-reaching impact, we take these extra steps in order to reduce our risk of a production incident:

  1. Our team’s merge requests should be assigned to another Authorization team member for first review in order to build more institutional knowledge across the team. This review should be done as a reviewer. The Authorization approval counts as the approval matching the role of the Authorization Reviewer, e.g. having a Backend Review from Authorization counts as a Backend Review. Once approved, the Authorization Reviewer should request a review from a Maintainer from the appropriate maintainer category.
  2. Authorization related merge requests (those touching custom roles and policies related code) require a review by an Authorization Engineer. This is guarded by using the CODEOWNERS feature of GitLab.

Group Members

Authorization group members who are part of the Authorization group can be @ mentioned on GitLab with @gitlab-org/govern/authorization.

The following people are permanent members of the group:

Name Role
Alex BuijsAlex Buijs Senior Fullstack Engineer, Govern:Authorization
Daniel TianDaniel Tian Senior Frontend Engineer, Govern:Authorization
Hinam MehraHinam Mehra Fullstack Engineer, Govern:Authorization
Jarka KošanováJarka Košanová Staff Backend Engineer, Govern:Authorization
Jay SwainJay Swain Engineering Manager, Govern:Authorization and Anti-abuse
Joe RandazzoJoe Randazzo Product Manager, Govern:Authorization
Mo KhanMo Khan Senior Backend Engineer, Govern:Authorization

Team Meetings

Our group holds synchronous meetings to gain additional clarity and alignment on our async discussions. We aspire to record all of our meetings as our team members are spread across several time zones and often cannot attend at the scheduled time.

We have a weekly team sync meeting with rotating AMER/APAC and EMEA/AMER friendly time slots: Tues 20:00 UTC and Weds 14:30 UTC.

Last modified March 21, 2024: Fix broken links to authentication and authorization groups (d92215b7)
View page source - Edit this page - please contribute. Creative Commons License