common-cloud-controls Repo Permissions Cleanup

Problem

Currently there are a large number of individuals with merge access to the CCC repo, and no clear means for the community to self-manage roles and permissions.

Proposed Solution

Adjust repo permissions to correspond with the community guidelines:

Create a new top-level team with sub-teams: ccc

Maintainer role given to all SteerCo members and FINOS point of contact

Create child-teams within ccc:
- ccc-steerco
  - Contains only steerco members, tag via @finos/ccc-steerco
- wg-leads
  - Contains only working group leads, tag via @ccc/wg-leads
- wg-XXX
  - Contains approvers for the respective WG
  - Maintainer role given to the respective WG lead
- members
  - Contains active community members who may have issues and PRs assigned to them
  - tagging @finos/ccc-members will notify the whole community
- Example:
Create a CODEOWNERS file following official project guidance

Use the CCC GitHub Teams to assign ownership

Modify branch protection to require approval from code owners
Remove the ccc-maintainers team, as it has been replaced by the above groups (if possible, use this as the starter for ccc/members.
Remove the ccc-participants team, as it was only in use during the private stage of the project last year

May 14 '24 23:05 eddie-knight

@eddie-knight acknowledged. I have a couple of presentations to prep for today and tomorrow, will hopefully get time to start looking into this towards the end of the week.

May 15 '24 07:05 sshiells-scottlogic

@sshiells-scottlogic & @eddie-knight - I received an automatic meeting indicating I have been removed from the ccc. Does it mean my support is no longer needed?

May 16 '24 02:05 iMichaela

Definitely not, @iMichaela! A lot of our recent work has been based on your contributions to the discussion, and your input is always appreciated.

I believe everyone will have gotten a similar message when we changed the groups (as outlined above), though I didn't anticipate that happening.

You're still in the CCC members group:

Thanks for touching base on this!

May 16 '24 03:05 eddie-knight

@eddie-knight @robmoffat we also received similar message as @iMichaela raised in the comment and got confused. Also, we saw all CCC meetings being cancelled with the note "All CCC meetings are temporarily cancelled."Together with the meeting cancellation, the notification gave us an impression that CCC project itself is paused/cancelled. It would be helpful for audiences to have context on why we were getting an email that we are being removed from the group (due to the changing being made here obviously) and why all CCC meetings are cancelled.

May 21 '24 20:05 rachkim00

Thanks @rachkim00, and very sorry for the sudden confusion.

We've added a note in the repo to warn against meeting cancellations like that in the future (#179) and, fortunately, we've now launched the communications working group to address oversights like this!

May 21 '24 20:05 eddie-knight

@eddie-knight Thank you much! I don't see any CCC meeting in my calendar yet since the cancellation. Hope there will be new ones scheduled.

May 22 '24 20:05 rachkim00

Yes! We are working with @robmoffat and the Communications WG to determine the next meetings.

We'll notify the CCC mailing list and put the public meetings on the calendar— hopefully before the end of the week.

May 22 '24 21:05 eddie-knight

Yes! We are working with @robmoffat and the Communications WG to determine the next meetings.

We'll notify the CCC mailing list and put the public meetings on the calendar— hopefully before the end of the week.

Me either!

May 23 '24 15:05 iMichaela

@eddie-knight :

Please can you expand on each of these groups with details of the group admin and members, so that I can get @TheJuanAndOnly99 to take a look?

Also, I think we need a PR with the CODEOWNERS file in it.

May 29 '24 13:05 robmoffat

Also, can we make sure all groups are prefixed CCC so that they are easy to find?

May 29 '24 13:05 robmoffat

ccc-members should be the top-level group with ccc-steer-co, ccc-wg-leads etc. as child groups.

May 29 '24 13:05 robmoffat

Thanks @robmoffat & @TheJuanAndOnly99. Notably, we recently learned that admins are only able to manage membership, not child groups.

TODO

[x] CCC Members -> Common Cloud Controls (replaces the current parent team, which can be removed)
- [x] Admin: @robmoffat, no others beyond FINOS staff
[x] SteerCo -> CCC SteerCo — Child of Common Cloud Controls
[x] Create and populate CCC WG Leads
- [x] Admin: @robmoffat
- [x] Members: @sshiells-scottlogic @jared-lambert @smendis-scottlogic @mlysaght2017 @damienjburks @Alexstpierrework
[x] Create child teams for each WG with the respective maintainer
- [x] CCC WG Community Structure Admin: @sshiells-scottlogic
- [x] CCC WG Duplication Reduction Admin: @jared-lambert
- [x] CCC WG Taxonomy Admin: @smendis-scottlogic
- [x] CCC WG Security Admin: @mlysaght2017
- [x] CCC WG Delivery Admin: @damienjburks
- [x] CCC WG Communications Admin: @Alexstpierrework

May 29 '24 15:05 eddie-knight

I'll collaborate with @sshiells-scottlogic to create the CODEOWNERS pull request tomorrow. The goal will be for that file to assign responsibility for everything in the repository to one of the WGs or the SteerCo.

That way each group can determine their own acceptance criteria for their respective areas, so that contributions such as PR #153 aren't blocked by a lack of clarity in the future.

May 29 '24 15:05 eddie-knight

@robmoffat @sshiells-scottlogic I think we should have the CODEOWNERS file itself be owned by the FINOS Point of Contact, so that there is foundation oversight on who owns each element in the repo.

The alternative is to have the SteerCo own it.

WDYT?

May 29 '24 15:05 eddie-knight

I think the FINOS Point of Contact makes sense. If there are any changes that need made then I think they could be done quicker through the FINOS Point of Contact rather than having to go through the steer co.

May 29 '24 15:05 sshiells-scottlogic

@I'm just going to jump on this issue to lay out the meetings I'm going to create, their length and cadence:

Meeting	Cadence	Length	Notes	On FINOS Calendar	When	Chair
Steering Committee	Quarterly	1 Hour	Already Exists	Yes	2PM UK Time, Second Tuesday of the quarter	FINOS
WG: Community Structure	Fortnightly	30 mins		Yes	5PM UK, 2ND and 4th Thursday each month
WG: Duplication Reduction	Fortnightly	30 mins		Yes	5:30PM UK, 2ND and 4th Thursday each month	Jared Lambert
WG: Taxonomy	Informally					Sonali Mendis
WG: Security	Every 3 weeks	30 mins	* every 3 weeks is hard to schedule with the other meetings, so going fortnightly)	Yes	4PM UK, 1st and 3rd Thursday each month	Michael Lysaght
WG: Delivery	Fortnightly	30 mins		Yes	4:30PM UK, 1st and 3rd Thursday each month	Damien Burke
WG: Communications / All Hands	Fortnightly	1 Hour	Propose that this replaces the old All-Hands meeting and includes updates from all WG Leads	Yes	5PM UK, 1st and 3rd Thursday each month	Alex St. Pierre
Working Group Leads / Exec Sponsors	Monthly	1 Hour	Replacing Strategic Initiative Update Meeting	No	15:30 – 16:15 UK Monthly on the fourth Friday	FINOS

Hopefully, this works - we've got a lot of meetings going on and I don't want to clash with too many other things in the FINOS calendar that people might want to do to. However, there ARE clashes with Backstage WG, and FDC3 for Web Browsers. I am heavily involved in that second one, so I won't be able to attend the second Delivery meeting of the month.

@jared-lambert, @damienjburks @mlysaght2017 @Alexstpierrework please check your availability.

Once everyone is happy I'll create these and invite the entire mailing list to attend - they can then choose which meetings they'd like to go to.

May 30 '24 10:05 robmoffat

@i'm just going to jump on this issue to lay out the meetings I'm going to create, their length and cadence:

Meeting Cadence Length Notes On FINOS Calendar When Chair Steering Committee Quarterly 1 Hour Already Exists Yes 2PM UK Time, Second Tuesday of the quarter FINOS WG: Community Structure Fortnightly 30 mins Yes 5PM UK, 2ND and 4th Thursday each month WG: Duplication Reduction Fortnightly 30 mins Yes 5:30PM UK, 2ND and 4th Thursday each month Jared Lambert WG: Taxonomy Informally Sonali Mendis WG: Security Every 3 weeks 30 mins * every 3 weeks is hard to schedule with the other meetings, so going fortnightly) Yes 4PM UK, 1st and 3rd Thursday each month Michael Lysaght WG: Delivery Fortnightly 30 mins Yes 4:30PM UK, 1st and 3rd Thursday each month Damien Burke WG: Communications / All Hands Fortnightly 1 Hour Propose that this replaces the old All-Hands meeting and includes updates from all WG Leads Yes 5PM UK, First Thursday each month Alex St. Pierre Working Group Leads / Exec Sponsors Monthly 1 Hour Replacing Strategic Initiative Update Meeting No 15:30 – 16:15 UK Monthly on the fourth Friday FINOS Hopefully, this works - we've got a lot of meetings going on and I don't want to clash with too many other things in the FINOS calendar that people might want to do to. However, there ARE clashes with Backstage WG, and FDC3 for Web Browsers. I am heavily involved in that second one, so I won't be able to attend the second Delivery meeting of the month.

@jared-lambert, @damienjburks @mlysaght2017 @Alexstpierrework please check your availability.

Once everyone is happy I'll create these and invite the entire mailing list to attend - they can then choose which meetings they'd like to go to.

@robmoffat Can Taxonomy WG have fortnightly meeting slots as well? I think I misunderstood what is informal when we last talked about it. I would like recurring fortnightly meetings that are not on FINOS calendar. Will that be possible? Thanks!

May 30 '24 13:05 smendis-scottlogic

@robmoffat - It looks like WG:Security and WG:Delivery are back-to-back. Is there a vision that members will be involved in more than one WG? Since I do not see a dedicated WG for the conversion of the security information in OSCAL and piloting or guiding the security automation process (for certification purpose), I am assuming the work will start under "Security" WG and continue inner "Delivery" WG . Is there a different vision for the work? Alternatively, "Security" WG can generate OSCAL samples and Delivery will be responsible for the tooling and conversion of the entire information.

May 30 '24 15:05 iMichaela

Is there a vision that members will be involved in more than one WG?

Absolutely. The delineation of responsibilities is to help scope the work commitments and enable granular reviews and approvals as things progress.

I am assuming the work will start under "Security" WG and continue inner "Delivery" WG . Is there a different vision for the work? Alternatively, "Security" WG can generate OSCAL samples and Delivery will be responsible for the tooling and conversion of the entire information.

Should we open a new issue for this question?

We'll need to get guidance on this topic from @damienjburks and @mlysaght2017. Input from @jared-lambert / Duplication Reduction might help as well.

May 30 '24 16:05 eddie-knight

Should we open a new issue for this question?

If there is no vision , no guidance, then we will need those and opening an issue might be a simple way of ensuring this is tracked.

May 30 '24 16:05 iMichaela

@robmoffat - I think aligning the Security WG with a fortnightly frequency would work better. Otherwise, I'm good.

May 30 '24 19:05 mlysaght2017

@iMichaela @eddie-knight @damienjburks - agree that we need more clarity on where the assessment layer falls.

May 30 '24 19:05 mlysaght2017

@iMichaela @eddie-knight @damienjburks - agree that we need more clarity on where the assessment layer falls.

@mlysaght2017 - the clarification I requested is going beyond assessment.

I initiated OSCAL samples for the security information we want in digital format. Determining best way of representing the information to support the overall vision and the deliverables is key to success. Such samples can be created by hand by my, Rachel, maybe others, but not by all SME developing logical controls, assessment requirements and tests.
For smooth digitalization of the information the WG(s) members will need:

a tool/software that will convert the information into OSCAL as soon as the information is completed/updated, OR
an editorial tool the SME developing the logical controls and the assessment requirements can use

a plan for the release of the information (first release, minor updates, patches). Need to think how will the consumers of the information are going to consume it...
a website with guidance or local guidance in GH

May 30 '24 20:05 iMichaela

Looks like we already have #139 to discuss the OSCAL topic. It could also be added to the agenda for the upcoming Security and/or Delivery meetings. @iMichaela, you might also apply feedback to #153 if you feel like that approach could be improved.

May 30 '24 21:05 eddie-knight

That's great guidance, thanks @iMichaela . I'll create some issues with dependencies Will also expand on the initial example controls we have to have a larger sample to work with.

May 30 '24 21:05 mlysaght2017

Looks like we already have https://github.com/finos/common-cloud-controls/issues/139 to discuss the OSCAL topic. It could also be added to the agenda for the upcoming Security and/or Delivery meetings. @iMichaela, you might also apply feedback to #153 if you feel like that approach could be improved.

But #139 was not addressed - was it? I reviewed and approved, from OSCAL perspective, the PR https://github.com/finos/common-cloud-controls/pull/153

May 30 '24 21:05 iMichaela

I'm not sure- happy to let you and @mlysaght2017 collab to keep things organized for that workstream.

@robmoffat and @TheJuanAndOnly99 please note that there are action items for you in the comments above on the topic of permissions and meetings cleanup

May 30 '24 21:05 eddie-knight

@i'm just going to jump on this issue to lay out the meetings I'm going to create, their length and cadence:

Meeting Cadence Length Notes On FINOS Calendar When Chair Steering Committee Quarterly 1 Hour Already Exists Yes 2PM UK Time, Second Tuesday of the quarter FINOS WG: Community Structure Fortnightly 30 mins Yes 5PM UK, 2ND and 4th Thursday each month WG: Duplication Reduction Fortnightly 30 mins Yes 5:30PM UK, 2ND and 4th Thursday each month Jared Lambert WG: Taxonomy Informally Sonali Mendis WG: Security Every 3 weeks 30 mins * every 3 weeks is hard to schedule with the other meetings, so going fortnightly) Yes 4PM UK, 1st and 3rd Thursday each month Michael Lysaght WG: Delivery Fortnightly 30 mins Yes 4:30PM UK, 1st and 3rd Thursday each month Damien Burke WG: Communications / All Hands Fortnightly 1 Hour Propose that this replaces the old All-Hands meeting and includes updates from all WG Leads Yes 5PM UK, First Thursday each month Alex St. Pierre Working Group Leads / Exec Sponsors Monthly 1 Hour Replacing Strategic Initiative Update Meeting No 15:30 – 16:15 UK Monthly on the fourth Friday FINOS Hopefully, this works - we've got a lot of meetings going on and I don't want to clash with too many other things in the FINOS calendar that people might want to do to. However, there ARE clashes with Backstage WG, and FDC3 for Web Browsers. I am heavily involved in that second one, so I won't be able to attend the second Delivery meeting of the month.

@jared-lambert, @damienjburks @mlysaght2017 @Alexstpierrework please check your availability.

Once everyone is happy I'll create these and invite the entire mailing list to attend - they can then choose which meetings they'd like to go to.

@robmoffat I can chair the community structure meetings.

May 31 '24 07:05 sshiells-scottlogic

@robmoffat - I think aligning the Security WG with a fortnightly frequency would work better. Otherwise, I'm good.

Sorry if it wasn't clear, that's what I did already @mlysaght2017

May 31 '24 09:05 robmoffat

@robmoffat I can chair the community structure meetings.

Awesome, thanks @smendis-scottlogic

May 31 '24 09:05 robmoffat