Issue 2786: global admin capability to modify user accounts
Status:  Released
Owner: ----
Closed:  Jul 2014
Project Member Reported by zaro0508, Jul 19, 2014
We have setup a "Third Party CI" group.  The group contains user accounts (all bots) that trigger on changes in our Gerrit repo, run tests externally, then reports back to our Gerrit.  

Here's an example: https://review.openstack.org/#/c/107486/

You will notice that "XenServer CI" and "turbo-hipster" are accounts in the "Third Party CI" group.  Our Third Party CI group is starting to become pretty large so we want to delegate account management of this group  to a specific person (gerrit user).  This user is not an administrator nor a project owner, just a Registered user with permission to modify account settings. 

Currently Gerrit doesn't support this use case.  I would like to request for a global admin capability ACL [1] to allow groups to manage accounts.  Maybe something similar to 'Create Account', except it would be 'Modify  Account.

[1] https://review.openstack.org/Documentation/access-control.html#global_capabilities
Jul 20, 2014
Project Member #1 David.Os...@gmail.com
As discussed on dev ML thread, the appropriate way to
achieve what you want is to write a plugin or use/extend
already existing serviceuser plugin. Plugins can provide
plugin owned capabilities that can be granted to users
from Gerrit UI as normal (core) capabilities.

For example serviceuser plugin provides own
'Create Service User' capability [1].

[1] https://gerrit.googlesource.com/plugins/serviceuser/+/master/src/main/resources/Documentation/cmd-create.md
Status: AwaitingInformation
Jul 21, 2014
Project Member #2 zaro0508
Yes, you are right.  The service user plugin can address this use case.  However it doesn't address the general use case of allowing a user (or group) to modify any other user (or group) account.   I'm wondering why not just have a global capability in Gerrit core that allows one group to modify all other user accounts?  There are already capabilities to create account, create group, and view accounts.  Would it not make sense to add a "modify accounts" capability?  This capability could allow Gerrit admins to modify all other accounts/groups which Gerrit cannot do right now.
Jul 23, 2014
Project Member #4 david.pu...@sonymobile.com
(No comment was entered for this change.)
Status: Submitted
Labels: FixedIn-2.11
Apr 16, 2015
Project Member #5 david.pu...@sonymobile.com
(No comment was entered for this change.)
Status: Released