Thibault Martin commented:
In my understanding we need to have three "trust level" regarding our infrasturcture:
- Anonymous - no account created
- Community - people who have created an account, but are not part of the Foundation
- Foundation - foundation members
We also need a list of all the services (not only applications, but the service provided) we provide, and map the trust level we have for each.
A silly exmaple:
| Application | Anonymous | Community | Foundation |
|---|---|---|---|
| Gitlab | Nothing | Create repos | Create repos |
| Nextcloud Files | Nothing | 0GB quota | 1GB quota |
| Nextcloud Office | Nothing | Read documents shared | Create and share |
| Rocket Chat | Nothing | Chat | Create channels |
| Discourse | Read topics | Create topics | Create topics |
I think @averi could provide a list of the apps we host, and I can certainly make it a list of services we provide. That would be the very fist step.
If we had unlimited time and people to work on this I’d draft the following roadmap:
- For each application we have, check if we can bind an existing local account to a LDAP account
- Set-up a SSO to allow user-friendly workflows with self-service registration and password reset
- Communicate on our different services to ask non LDAP users to register for a "GNOME Community Account" and link to the table as above so they understand what such an account will bring them; and announce that non LDAP accounts will not allow them to be used anymore
- Close registration on all the services except through the SSO
- Give users a way to reconciliate their local accounts with their new LDAP account (which, to be scaled, must be automatable, which probably means some development should be carried on)
- Make all our hosted services exclusively use either the SSO (recommended) or the LDAP (if SSO not available)
Its feasibility depends on the time Andrea and Bart have.