Phabricator实践（2）：组织结构——账户角色（Account Role）

Overview

When you create a user account, you can set roles like "Administrator", "Disabled" or "System Agent". This document explains what these roles mean.

Administrators

Administrators are normal users with extra capabilities. They have access to some tools and workflows that normal users don't, which they can use to debug and configure Phabricator. For example, they have access to:

• Account Management: The primary function of administrators is adding, disabling, and managing user accounts. Administrators can create and edit accounts and view access logs.
• MetaMTA: Administrators can send test email via MetaMTA. This isn't available to normal users to prevent Phabricator from serving as a partially open relay if used by open source projects.
• Repositories: Administrators can configure repositories. This isn't normally available because it is specialized and complicated to configure.

Administrators have a few other minor capabilities in other tools. When you are in an administrative interface, the menu bar is red.

Administrators are not in complete control of the system. Administrators can not login as other users or act on behalf of other users. Administrators can not bypass object privacy policies.

NOTE: Administrators currently can act on behalf of other users via Conduit. This will be locked down at some point.

System Agents

System Agents are accounts for bots and scripts which need to interface with the system but are not regular users. Generally, when you write scripts that use Conduit (like the IRC bot), you should create a System Agent account for them. System agents:

• can not login (they can access API methods via Conduit);
• can not review diffs or own tasks;
• do not appear in CC tokenzers.

Currently, the System Agent role for an account can not be changed after the account is created. This prevents administrators form changing a normal user into a system agent, retrieving their Conduit certificate, and then changing them back (which would allow administrators to gain other users' credentials).

备注：

由于SystemAgent不能审核代码，而且也不会出现在Phabricator邮件选项中。

而且也不会收到Review Action的邮件，即使你也参加了审核。

所以我通常的做法是：

Step1：后台使用命令行创建具有“Administrator”和“System Agent”角色的超级管理员账户。

Step2：使用超级管理员账户给某个LDAP账户配置赋予“Administrator”角色。