Jump to content

Fundraising/techops/procedures/users-access roles

From Wikitech

Access to fundraising systems is controlled by different roles in different systems. This is a cheat sheet as to what these roles allow access to.These will be in broad speaking terms to allow the idea of basic functionality granted with each role. Permissions are generally listed in CRUD (Create, Read, Update, Delete) or Y/N format.

Civicrm

These are the general user roles/permissions in Civicrm. This list is not exhaustive in terms of roles or permissions granted.

CiviCRM
Administrator CiviCRM Admin Donor Services Donor Services Mgmt Engage Direct Mail Engage Mgmt Fr-Tech Civiproxy
Contacts CRUD CRUD CRUD CRUD R
Import Contacts Y Y
Access Deleted Contacts Y Y
Groups CRUD CRUD CRUD
Administer CiviCRM Y Y Y
Profies CRU CRU RU CRU
Activities RD RD R RD
API Access Y Y Y Y Y
Administer Dedupe Rules Y Y Y
Merge Dupe Contacts Y Y Y Y
Contact Notes CR CR CR CR
Administer Payment Processors Y
Message Templates U U
CiviEvent CR CR
CiviContribute CRUD RU RU D CRUD
CiviMail CRUD CRUD
CiviReport RU R RU RU
CiviReport Administration Y Y Y
CiviCampaign Administration Y
Export Permissions Y Y Y Y
Comment CRU CRU CRU
Comment Adminitration Y Y Y
Field Administration Y Y
Large Donation Administration Y Y
Node / "content" CRUD CRUD CRUD
OAuth Administration Y
Authorize OAuth consumers in dash Y Y
offline2civicrm Administration Y
offline2civicrm import Y Y
queue2civicrm Administration Y
Services Administration Y
System Administration Y Y
Use Admin pages Y Y
Taxonomy Administration Y Y
Thank You Administration Y
User Administration Y
View User Profiles Y
WMF Audit Y Y
WMF Campaign Administration Y Y
WMF Common Configure Y
WMF Common Queue Items RU RU

Superset

Role Access Granted
Admin Administer Superset
ChangeOwnPasswd Common to all roles. Allows users to change their password
Data Consumer Read data
Data Consumer with Export Read and export data
Fundraising Core Reporting Common to all roles. Allows DB access to read data from analytics.* DBs

Grafana

Role Access Granted
Admin Administer Grafana
Editor Create and Edit dashboards
Viewer View access only (not used)

Shell access (SSH)

Group Hosts Allowed PCI Scope
syops all yes
fr-tech build, listener, payments-staging, logger/archive, civi yes for build, civi
security auth, bastion, network-security yes for auth
analytics banner loggers no
fundraising bastion, frdev no
fr-analytics bastion, frdev, analytics no

MariaDB/Mysql

MariaDB permissions are in the CRUDS (Create, Read, Update, Delete, Select) format. In these cases, we are trying to group users by functional area for what their current permissions would wrap up to. We may want to adjust roles such that they follow by permission vs user functional area.

Fundraising
Role DB.table CRUDS Additional
fr-tech civicrm.* S
fr-tech drupal.* S
fr-tech fredge.* S (possibly all)
fr-tech fruec.* S
fr-tech geonames.* S
fr-tech log-civicrm.* S
fr-tech pending.* S
fr-tech smashpig.* S
Fundraising Dev
Role DB.table CRUDS Additional
fr-tech Global create temporary tables, file, process
fr-tech-ops mysql.innodb_index_stats S
fr-tech civicrm.* S
fr-tech-ops civicrm.* S
fundraising civicrm.* S
fundraising analytics civicrm.* S
fr-tech drupal.* S
fr-tech-ops drupal.* S
fundraising drupal.* S
fundraising analytics drupal.* S
fr-tech fredge.* S
fundraising fredge.* S
fundraising analytics fredge.* S
fr-tech geonames.* S
fr-tech smashpig.* S
fundraising analytics smashpig.* S
fr-tech faulkner.* S
fundraising faulkner.* S
fundraising analytics faulkner.* S
fr-tech analytics.* S
fundraising analytics.* S
fundraising analytics analytics.* CRUDS
fr-tech dev%.* S
fundraising dev%.* S
fundraising analytics dev%.* CRUDS
fr-tech pgehres.* S
fundraising pgehres.* S
fundraising analytics pgehres.* S
fundraising analytics superset.logs S
fr-tech smashpig.* S
fr-tech silverpop.* S
fundraising silverpop.* S
fundraising analytics silverpop.* S

TODO: dev_* databases

Some user specific databases are created where those users will have full access. This is a rarity and only on special request.

Analytics
Role DB.table CRUDS Additional
fr-tech civicrm.* S
fundraising civicrm.* S
fundraising analytics civicrm.* S
fr-tech drupal.* S
fundraising drupal.* S
fundraising analytics drupal.* S
fr-tech fredge.* S
fundraising fredge.* S
fundraising analytics fredge.* S
fr-tech geonames.* S
fundraising analytics geonames.* S
fr-tech smashpig.* S
fundraising analytics smashpig.* S
fr-tech faulkner.* S
fundraising faulkner.* S
fundraising analytics faulkner.* S
fr-tech analytics.* S
fundraising analytics.* S
fundraising analytics analytics.* CRUDS
fr-tech dev%.* S
fundraising dev%.* S
fundraising analytics dev%.* CRUDS
fr-tech pgehres.* S
fundraising pgehres.* S
fundraising analytics pgehres.* S
fundraising analytics superset.logs S