Fundraising/techops/procedures/users-fr tech managed accounts
There are certain accounts and systems that FR Tech manages. For each type there are variations on what the requirements are for access, how authentication (AuthN) and authorization (AuthZ) are handled, and what the user base is. Most of the user base is non-technical. The principle of least privilege is employed wherever possible for FR Tech users.
Additionally, some systems fall under PCI scope. For those systems, user access is restricted further and account deactivation happens as soon as the user has left a job function that requires PCI access. This is required and guided by the PCI standard version and compliance level that currently applies for the Foundation.
User Verification Requirements
There are base level verification requirements in order for access to be granted to FR Tech systems. The base requirements are:
- Access approved by C level
- Contact info provided on Collab wiki
Included in the contact information is the users location and a contact number that can receive SMS (or Signal/WhatsApp/Telegram) messages. That information is used for generating the Client SSL certificate and delivering out of band password information for the certificate and various accounts.
In addition, there are certain other requirements (phabricator/Collab wiki access) which are used for exchanging other information such as ssh public keys.
User Access Controls
Client SSL certificate
This is used as a first line of authentication and 2FA for web based services.
- Generated on frpm host with local CA
- Restrictions are enforced at the server level by an nginx proxy
SSH Keypair
- Used as authentication for ssh access to FR Tech servers
Yubikey
- Used as 2FA for ssh access to FR Tech servers
Kerberos
- Used as 2FA for ssh access to FR Tech servers (alternate option instead of Yubikey)
FR Tech Administered Services with Accounts
| Service | PreReq | Authentication | Authorization | User Base | Notes |
|---|---|---|---|---|---|
| CiviCRM | Client SSL Cert | Local Password | Internal Civi roles |
|
5 user roles currently used
Data / Access segmented by user role |
| Superset | Client SSL Cert | Local Password | Internal Superset roles |
|
6 user roles currently used
Minimal use of roles for data segmentation Roles primarily used for access to features
|
| Superset Archive | Foundation Google Account | Google Account | Manually assigned roles | Fundraising Superset Users | Report archive hosted in google drive
|
| Grafana | Client SSL Cert | Local password | Internal Grafana roles |
|
Read access
|
| FR Tech server cli access (SSH) | Yubikey and ssh keypair | ssh keypair plus Yubikey for 2FA
(kerberos password present as backup for FR Tech Ops SREs) |
OS groups |
|
User account, keypair, group assignment managed via FR Tech puppet instance
|
| mariadb/mysql access | Server cli access | mariadb local user password | Managed via grant scripts per server role |
|
Access only allowed through SSH connection to an FR Tech server. |
| Jupyter Notebook | Server cli access | Local per instance password | Instance per user | Fundraising analytics users | Accessed only via SSH tunnel to FR Tech server |
Ancillary FR Tech managed user items outside of account
There are assorted user items that FR Tech Ops manages / cleans up for Advancement users. This includes:
- Production email lists (fr-tech-failmail@)
- User specified as failmail recipient in cron jobs, puppet, or process-control jobs
- CiviCRM internal mailing settings
- CiviCRM notification listings (campaign, large donation, etc)
- Git repository reviewer settings