Jump to content

Fundraising/techops/procedures/users-fr tech managed accounts

From Wikitech

There are certain accounts and systems that FR Tech manages. For each type there are variations on what the requirements are for access, how authentication (AuthN) and authorization (AuthZ) are handled, and what the user base is. Most of the user base is non-technical. The principle of least privilege is employed wherever possible for FR Tech users.

Additionally, some systems fall under PCI scope. For those systems, user access is restricted further and account deactivation happens as soon as the user has left a job function that requires PCI access. This is required and guided by the PCI standard version and compliance level that currently applies for the Foundation.

User Verification Requirements

There are base level verification requirements in order for access to be granted to FR Tech systems. The base requirements are:

  • Access approved by C level
  • Contact info provided on Collab wiki

Included in the contact information is the users location and a contact number that can receive SMS (or Signal/WhatsApp/Telegram) messages. That information is used for generating the Client SSL certificate and delivering out of band password information for the certificate and various accounts.

In addition, there are certain other requirements (phabricator/Collab wiki access) which are used for exchanging other information such as ssh public keys.

User Access Controls

Client SSL certificate

This is used as a first line of authentication and 2FA for web based services.

  • Generated on frpm host with local CA
  • Restrictions are enforced at the server level by an nginx proxy

SSH Keypair

  • Used as authentication for ssh access to FR Tech servers

Yubikey

  • Used as 2FA for ssh access to FR Tech servers

Kerberos

  • Used as 2FA for ssh access to FR Tech servers (alternate option instead of Yubikey)

FR Tech Administered Services with Accounts

Service PreReq Authentication Authorization User Base Notes
CiviCRM Client SSL Cert Local Password Internal Civi roles
  • General Advancement users
  • Fundraising tech users
  • External entities (Trilogy, Engage, contractors)
5 user roles currently used

Data / Access segmented by user role

Superset Client SSL Cert Local Password Internal Superset roles
  • General Advancement users
  • Some other Foundation users
  • Fundraising tech users
  • External entities (Trilogy)
6 user roles currently used

Minimal use of roles for data segmentation

Roles primarily used for access to features

  • dashboard creation, sql query, etc
Superset Archive Foundation Google Account Google Account Manually assigned roles Fundraising Superset Users Report archive hosted in google drive
  • Manual addition of users when granted superset access
  • Removal handled by FR Tech SRE when there is an internal transfer.
  • Removal handled automatically when there is a departure and google account is removed/disabled
Grafana Client SSL Cert Local password Internal Grafana roles
  • General Advancement users
  • Fundraising tech users
  • User with valid Client SSL certificate
Read access
  • General Advancement users
  • Any user with valid Client SSL certificateWrite access
  • Fr-Tech usersAdministrative access
  • Fr-Tech SRE
FR Tech server cli access (SSH) Yubikey and ssh keypair ssh keypair plus Yubikey for 2FA

(kerberos password present as backup for FR Tech Ops SREs)

OS groups
  • Select Fundraising users
  • Fundraising analytics users
  • Fundraising tech users
  • Select SRE accounts for specific hosts and functions
User account, keypair, group assignment managed via FR Tech puppet instance
  • Access segmented based on job requirement
  • PCI scope hosts have more limited user base
mariadb/mysql access Server cli access mariadb local user password Managed via grant scripts per server role
  • Select Fundraising users
  • Fundraising analytics users
  • Fundraising tech users
  • Select Foundation accounts for specific hosts and functions
Access only allowed through SSH connection to an FR Tech server.
Jupyter Notebook Server cli access Local per instance password Instance per user Fundraising analytics users Accessed only via SSH tunnel to FR Tech server

Ancillary FR Tech managed user items outside of account

There are assorted user items that FR Tech Ops manages / cleans up for Advancement users. This includes:

  • Production email lists (fr-tech-failmail@)
  • User specified as failmail recipient in cron jobs, puppet, or process-control jobs
  • CiviCRM internal mailing settings
  • CiviCRM notification listings (campaign, large donation, etc)
  • Git repository reviewer settings