Overview

Arnica's Slack bot enables developers to gain access to repositories and specific paths in CODEOWNERS files.

Interacting with the "/arnica" Slack bot

Requesting a permission

Any member of the Slack Workspace where Arnica's bot is installed can launch the permissions self-service wizard by typing "/arnica" into the Slack channel. You don't need to have an account in Arnica to use the bot.

This command gives the Slack user access to Arnica's self-service dialog. This allows you to request access reinstatement based on past mitigations, or new access.

Select a GitHub organization, repository, permission type, and the GitHub username (if requested on someone's behalf).

If the requested repository has a CODEOWNERS file with Arnica-managed Teams, the dialog will present only the paths where these Teams are associated. For example, assume the following CODEOWNERS file:

* @nir-gitgoat-prod/arnica-ginger-main-codeowners
abc/ @nir-gitgoat-prod/arnica-ginger-main-abc-codeowners
def/ @nir-gitgoat-prod/def-team

In this case, the paths * and /abc are mapped to Arnica-managed Teams, while the path /def is managed manually. This scenario is possible if no excessive permissions were identified in the Team associated to this path, or if the path was added recently to the repository and not yet mitigated.

The dialog below demonstrates this explanation.

Arnica's bot automatically populates the paths where you are currently assigned or were previously assigned prior to the mitigation. For example, the user billdp-gg was previously assigned to the path *, and thus, the path is automatically populated. The path /abc can be added to user's request, if needed.

Important: all existing and new paths within CODEOWNERS need to be included in the request. If no paths are selected, the user will be granted with the requested permission without being added to CODEOWNERS. A user who wants to be removed from a specific path can also request to be removed.

If there is an automatic privilege-granting policy set up within Arnica, you will be notified when the system updates your permissions. For example, if the permission is automatically granted, the message will be as follows:

However, if the permission needs to be approved by someone else, the following message will appear to the requestor:

The result from the permission approval request will be sent back to you automatically. If the request is approved, the permission will be automatically provisioned by Arnica.

If an error occurs in the requesting process, or there is no policy in place for the request, the system will alert the you that the request was not processed.

Approving a permission

Permission requests for specific organizations and repositories can be routed to different Slack channels, as defined in Arnica's policy. For example, the approval workflow to the repository Lavender will route to Lavender-Admins Slack channel, and the approval flow to the repository Acai will route to Acai-Team Slack channel.

The approvers in each of the Slack channels don't need to have a user on GitHub or Arnica. The approval events are logged based on the Slack email address of the approver.

Each approval request will have the following details:

We log the result of every permission review decision. If approved, the user is automatically granted the requested permission.