Having a 'shell' keyword implies that one has access to all machines or none, but our current permission scheme is more nuanced than that. A schema that maps accurately to the ACLs laid out in operations/puppet:manifests/admins.pp might be good, with keywords for 'root', 'mortal', and 'restricted'.
Version: wmf-deployment
Severity: minor
URL: https://gerrit.wikimedia.org/r/gitweb?p=operations/puppet.git;a=blob;f=manifests/admins.pp