Policy:Wikimedia Foundation Staff Userrights Policy - Wikimedia Foundation Governance Wiki

Policy:Wikimedia Foundation Staff Userrights Policy - Wikimedia Foundation Governance Wiki
Jump to content
From Wikimedia Foundation Governance Wiki
Translate this page
Other languages:
Shortcut
Policy:SUP
This policy or procedure is maintained by the
Wikimedia Foundation
Please note that in the event of any differences in meaning or interpretation between the original English version of this content and a translation, the original English version takes precedence.
Wikimedia policies
Wikimedia projects
Access to nonpublic personal data
Underage exemptions
Access to temporary account IP addresses
API usage guidelines
Code of conduct for Wikimedia technical spaces, including events
Combating online child exploitation
Commercial sales and contracts
Cookie statement
Data collection guidelines
Data publication guidelines
Data retention guidelines
Digital Millennium Copyright Act (DMCA)
Donor privacy
SMS supplementary terms
General disclaimer
Human rights
IP Information Tool
Licensing
Modifying CheckUser logs guidelines
Office actions
Non-wiki
Wikimedia Maps
Wikimedia Phabricator
Terrorist and violent extremist content procedures and guidelines
Trademarks
Universal code of conduct
Enforcement guidelines
Use of Wikimedia sites for advocacy purposes
Foundation Board and staff
Board of Trustees candidate review process
Code of Conduct
Board of Trustees
Conflict of interest
Confidentiality agreement of the Board of Trustees
Credit card usage
Delegation of authority
Duty entertainment
Foreign Corrupt Practices Act (FCPA)
Gifts
Non-discrimination
Policy and political association guideline
Staff test account
Staff userrights
Travel and expense
Whistleblower
Other
Expense reimbursement
Feedback privacy statement
Friendly space policy
Investment policy
Legal policies
Open access policy
Peering policy
Purchasing and disbursements procedures
Requests for user information
Scholarship travel policy
Service provider travel guidance
Wikimedia Foundation staff who need to take action on the Wikimedia projects need the ability to do so as transparently as possible using the tools and user rights that already exist. At the same time, the community and general public expect that the allocation and use of these rights will be transparent, that community norms will be respected, and that privacy will be protected.
In order to meet these goals and streamline the process, staff work user rights are granted and removed through the staff process (rather than the community process) in the custody of the
Trust and Safety team (T&S)
at the Foundation. We also aim to give the minimum amount of access required for the task. This is especially true for sensitive rights such as those that allow access to private data or the ability to do things that are generally community-only (such as blocking or locking accounts).
T&S maintains a record of all staff rights for tracking and transparency purposes. Some elements of that record are publicly logged on
Meta-Wiki
; namely, the username, the rights applied, the date they were applied, and the use case of the requested rights.
Use of the tools
An employee who has staff administrative privileges may use those privileges only with respect to their staff duties at the Foundation approved under the requested use case. Those privileges may not be used in a personal capacity, even if they hold those user rights on a personal account. At the same time, a staff member may not use their personal account rights for staff duties in any way. If they require access for a staff purpose, they should have those rights granted on their work account.
While Foundation staff and contractors are traditionally granted a large amount of good faith in the technical actions they take on the projects, please remember the community may still undo you if an action harms the projects unless it is an official
Office Action
(and marked as such) usually only done by
Legal
or Trust & Safety staff. If you have someone approach you asking why you took a specific action, please engage with them directly. You are also advised to let the Trust and Safety team know of the issue.
Obtaining staff user rights
All staff account on-wiki rights should be requested through this process. To request the rights an email needs to be sent from the work address to Trust and Safety.
The email should include
Use case: The rights you're seeking and the reason for your request. If you don't know the name of the right you're seeking, explain what you hope to do, and we'll help you determine which rights you need.
Username: Your work username
Duration: Specify whether access is required for an ongoing or a short-term need. If they're for a short-term project, we can set them to expire after the project is over.
With all the information send the e-mail to ca
wikimedia.org and cc your line manager, requesting that your manager indicate approval and training confirmation. If you are asking for a highly sensitive right (such as staff, Checkuser, Oversight, etc.), you will need approval from your director or C-level, if that is not your manager. Please cc that person as well or instead.
Manager's responsibility
It is the approving manager's responsibility to make sure that the staffer has appropriate training prior to approving the use case. T&S requires the approving manager to explicitly confirm during the approval that the staff member has been appropriately trained to use the tool/userrights requested. In some cases, T&S may request a demonstration.
Highly sensitive rights
Some user rights are considered "highly sensitive" and require higher levels of reasoning and approval. The decision approach from T&S' side may vary depending on the experience level of the staff requesting the rights and that of the use case. Generally, they are given out only if they are absolutely essential for work purposes and generally given out for the duration of the need for access by the specific staff member. Note especially that this applies to all Wikimedia projects, including testwiki. All NDA-related rights are generally considered "highly sensitive" including those that have side-wide implication. These include but are not limited to,
Checkuser-related rights
Suppression-related rights
Site interface-related rights
Systemadmin-related rights
Banner-related rights
The ability to limit an account from editing (such as blocking their account, or globally locking it) - does not apply to test environments
Rights that require
2FA
etc.
Removal of access
Self request
Staff members who no longer require the rights should notify Trust and Safety at ca
wikimedia.org so that they can be removed. We don't allow inactive accounts to continue to hold advanced rights beyond what is necessary. In most cases, T&S sets an expiration date when granting the rights except for cases that are for permanent use.
By Trust & Safety staff on their own initiative
If, while reviewing user rights, T&S staff believe that a staff member no longer needs the access, they will attempt to contact the staffer and verify that it is no longer needed. After removal has been verified, or T&S receives no response for a week, T&S staff will then remove the user rights. The rights can be reinstated on request with a new use case.
In rare cases, T&S staff may also remove rights if they've been used inappropriately. This includes temporary removal during an investigation into any complaints received. The staffer will always get a chance to present their side of the story, but T&S reserves the right to temporarily remove the rights without reaching out first if they believe that's the best thing for the projects, the Foundation, or if it appears that an account could be compromised. Misuse of sensitive rights may also be investigated by the
Ombuds commission
, independently of a Foundation investigation.
Upon departure from the Foundation
Upon departure from the Foundation, a staff member's account will be locked by
Wikimedia Foundation IT Services
and must no longer be used, which includes rights that may still be assigned to that account. If you notice an account you believe should be closed, but isn't, please notify ca
wikimedia.org immediately.
See also
Wikimedia Foundation Staff Test Account Policy
Retrieved from "
Category
Policies
Policy
Wikimedia Foundation Staff Userrights Policy
Add topic