Systems/Account Management

From popdata
Jump to: navigation, search

Account Creation / Modification

See also Tasks for setting up workstation and Data Access Unit version

  • Our policy is to have a single account per person, with various group membership as appropriate for their roles.
    • For example if a former student has an old account and becomes a researcher, the same username should be assigned the YubiKey and VPN roles, and project sub-accounts be created from it.
    • One exception is where different roles should have different access. For example a DAU staff (Monique) got a second account created so she would have different YubiKeys and VPN access for different roles. Another example is for dual roles of data steward and researcher - this is intended to protect them when logged in to DAR website from accidentally accessing other researchers' information. In discussion 2017-05-31 between Tim, Denis and David, we decided the suffix "-ds" could be added to the username. Some examples: tark-datasteward (tark); fmushashi-ds (fmushashi) ; ... See also groups"dar-datastewards" ; "dar-users" (Data Access Requests) ; "dswg-users" (Data Stewards Working Group); "mdc-users" (Meta Data Central)
  • New staff account setup is triggered by an OTRS ticket generated by Privacy Officer or Jim or Abigail requesting the appropriate access for the new staff person.
  • Review this document in Alfresco while setting up new users: \Policies\Procedures\Procedure for New Hires and Departures
    • Setup procedure for Systems and IT accounts are listed below; be sure to have all appropriate forms signed (acquired from Privacy Officer) before beginning.
  • Generally accounts are created using PDS Django web site by the RLU.
    • PDS manages entries in Django database on Cartier, LDAP on Champlain and Active Directory on Gilbert
    • Some changes (e.g. email) can only be done more directly on LDAP, for example PHPldapAdmin
    • New LDAP entries are discovered by cron jobs on Fraser to trigger creation of user directories.
    • Renaming an account is not recommended due to scattering of data.
    • Username should be all lowercase and made up of first initial and last name. There are exception, for example the ETU prefers to have students use their uVic login name. They must be no more than 13 characters so that project accounts don't exceed the Windows username length limit of 20 Software-sys-Windows#Username_limits. The length should be even shorter in case the user ever gets a secondary account for a special project with longer project name.
    • Password progagation from LDAP (Champlain) to AD (Gilbert) and from Yellow to Red Zone: see Services/LDAP
  • Moodle (training.popdata.bc.ca) accepts all PDS accounts plus a few local accounts (e.g. "rlu"). RTL courses are open to anyone with an account, but most courses require registration (even when the course is free, such as privacy training).


Staff Accounts

1. Zimbra email account creation

  • In a web browser go to this address: https://mail.popdata.bc.ca:7071/zimbraAdmin/
  • Login and click "Accounts" under "Addresses" on the right of the screen.
  • Click the "New" button just above the list of accounts.
  • Enter the fields for Account name, First name, Last name, and Canonical address.
 The Account name should have a @popdata.bc.ca address (click on it and a drop-down appears).
  • Standard zimbra account config: create account as 1st char of firstname + full lastname (ie. rnorden) add use full name as an alias "first.last@popdata.bc.ca"
  • Click Finish
  • Right click their account name in the list and choose "Change password"
  • Enter a default password and click the "Must change password" checkbox.


2. Setting up Zimbra calendars

  • New accounts that need to view/edit other users' calendars need to be granted permission by that user.
  • Right-Click on the calendar account that needs to be viewed by the new user, click the "View Mail" button. E.g. popdata-events@popdata.bc.ca is found under Manage=>Resources
  • Click the Calendar tab. Then right-click the word "Calendar" (usually orange) under the heading "Calendars".
  • Choose "Edit Properties", and look at the user list under the heading "Sharing for this folder"
  • Click the Add Share button and add the new user to this list. Make sure you choose the correct "role" (permissions).
  • Log out of this user's account.
  • For Outlook, set up Calendar under Zimbra connector
  • See also "Zimbra Calendar Instructions.docx" under "\Gilbert\Alfresco\Administration\Calendars and Time Management\"


3. Create user on PDS https://pds.popdata.bc.ca/ (performed by RLU if new user is researcher)

    • Set a temporary passphrase (use the same one as set up in Zimbra). All password changes are logged in PDS. Access to VPN will be blocked until password is reset by user.
    • If the user already exists - (for example an "external" user previously registered for an RTL course), you need to add them to the chspr-users group on gilbert (if they are new chspr staff) and you need to modify their user profile tab as well. User login script needs to be changed from external.bat to chspr.bat.
    • add them to rlu, dsurlu-wiki, pds-admin if in Data Access Unit
    • Add them to the popdata-staff group
    • Add them to the popdata-wiki group

4. Assign staff card/fob for opening doors. See Security/UBC_Access_Control

5. Assign Yubikey to them if needed using PDS (performed by RLU if new user is researcher)

6. Put them in the popdata-users AD group on gilbert (for write access to Alfresco folders, and possibly access to "units blog")

    • Find user account by find menu -> Right mouse and click "Move..." -> move the account to appropriate group:
      • /popdata/popdata/users (for standard user)
      • /popdata/popdata/leads
      • /popdata/popdata/admins (for IT)
    • Right mouse click and click "Add to a group..." -> type "shoebox-users" in the text box and Check Names button -> OK (shoebox is usually only needed for RLU)
    • Put them in the popdata-leads AD group on gilbert if appropriate

7. Some servers have local groups (not in PDS)

    • on Thompson2, local group "pds" grants write access to some folders under share "\\thompson2\pds" (//thompson2/home/www/pds)

8. Fix home directory on gilbert (you might not need to do this step change login profile without changing and save)

9. Ask Bryony to add them to the popdata lists on http://lists.popdata.bc.ca/archive (ubcstaff , staff) 10. Add new staff to appropriate staff list. For example

  • PopData IT staff <it@popdata.bc.ca> is really Zimbra list s.and.s@popdata.bc.ca (systems and security)
  • Data Acesss <rlu@popdata.bc.ca> is a shared mailbox, not a list.
  • Other staff groups are Sympa lists on lists.popdata.bc.ca - Ex: data@lists.popdata.bc.ca (Data Services Unit)

Notes

    • Personnel who infrequently require access will have their account deactivated while they are away [Authentication and Access Control policy 5.5]
    • All access changes must be reviewed by Management [A.&A. C. P. 5.6]
    • Notify S&S manager of changing roles, so access is deactivated as appropriate (including for extended absences).

PDS user account admin - what those each fields really means?

  • "Password reset: yes" means user has changed their own password.
  • "Last Login" is date of most recent login to an SRE, RTL or SRTL virtual machine. Should be blank for primary accounts, except for RTL accounts and a few weird accounts.
  • "Last VPN Login" is date of most recent VPN connection. Should be blank for secondary accounts.
  • "SRE / RTL / SRTL user" means allowed to login using Remote Desktop to SRE / RTL / SRTL machines.
  • "VPN group" is for VPN logins using Cisco AnyConnect. The VPN group "SRE" is not visible here for historical reasons, and can only be controlled by an administrator on unix server Cabot. An account can have a choice of multiple groups, for example a researcher taking a course. Secondary accounts MUST NOT have VPN access. Some VPN groups require the use of SecurID keyfobs, but this is invisible to PDS.
  • Yubikey is a USB dongle that pretends to be a standard keyboard. They will replace SecurID readouts eventually for all PopData. The 8-digit serial# is written on the back; when its button is touched and it types out a 40-character string, the first 12 characters are constant and are a translation of the serial number using just letters; the rest of the string constitutes a one-time-password.

RedZone Accounts

  • in PDS add membership in group "redzone"

* ### dont do: on RedZone AD server Larsen create account by same name; password will be reset later by user in my.popdata..

  • sync AD account to redzone
    • go to cabot:/usr/local/src/jtmsync
    • edit jtmsync-rzone.conf
    • in types -> popdata change ldap_filter and ad_filter with username of new user
    • change firewall, turn on rule to allow AD sync in section redzone outgoing rules
    • open2 on vancouver
    • on cabot run: ./jtmsync-rz.pl -c jtmsync-rzone.conf -t popdata
  • Login to larsen and check if the new user is created in the AD. Add "redzone" group.
  • On defuca, create home directory, then run following script
    • sh /usr/local/sbin/create_yellowfolder_dirs.sh USERNAME
    • vi /etc/group and add new username to appropriate groups
    • mkdir /popdata/projectsco/username (set permission)
    • mkdir /popdata/rawco/username (set permission)
  • On george2, create home directory, then run following script
    • sh /usr/local/sbin/create_yellowfolder_dirs.sh USERNAME
    • cd {HOME_DIR}; ln -s /bclhd/projects/projectname-number/extract-projects myextracts ; ln -s /popdata popdata (NOTE: /bclhd/projects -> /popdata/projects )
    • vi /etc/group and add new username to groups; popdata data-checkout datarequests dataholdings
    • setup drive mapping Z: \\george2\USERNAME (see DAU page Networking/Map )
  • Do the same as george2 for Payette

NOTE: /bclhd/projects -> /popdata/projects

  • On Franklin, create a home directory for new DAU/DSU/SnS staff.
    • Same permissions as other dau/dsu staff, plus a Desktop directory with the shortcut to start xfreerdp (rdesktop for virtual windows).
    • Copy desktop shortcut from one of the other rlu staff folders.

* In order to transfer YZ-RZ you need to manually check/if-not-then-create following user directory

  • DAU/DSU staffs - for YZ<>RZ transfer, following folders need to be existed.
    • franklin:/data/saved/yellowzone/USERNAME
    • franklin:/data/saved/redzone/USERNAME (this one doesnt exit?)
    • franklin:/data/transfer/yellowzone/USERNAME
    • franklin:/data/transfer/redzone/USERNAME
    • franklin:/data/saved/USERNAME
    • george:/data/saved/yellowzone/USERNAME
    • george:/data/saved/redzone/USERNAME
    • cartier2:/data/transfer/yellowzone/USERNAME
      • Cartier2 (files.popdata.bc.ca)

Symbolic links: Copy from other DAU user (cp -P)

    • george2:/home/USERNAME/data-checkout
    • george2:/home/USERNAME/Data documentation
    • george2:/home/USERNAME/Data Requests
    • george2:/home/USERNAME/popdata

Researcher Accounts

Created now by the DAU. DAU Wiki on creating account

  • For each project, select researcher's main (short) account and click [Create project Login].
  • Select a previously created project. Enter a random password, and tell the user to use my.popdata.bc.ca to change the password on his main login, specifying "Update Any Secondary Accounts too?".
  • Edit new project account and at "SRE access" select "Active", unless of course you don't want to give researcher SRE access quite yet.
  • Tell IT staff to disable YellowFolders for new IDD projects (*-g0*) SRE#IDO.2FIDD_projects_use_OCWA
    2020-01-29 OTRS ticket create_project.py modified to automatically leave out the TRANSFER folder from "*-g*" (IDD) projects. For "*-*o" (ODC) project accounts, IT staff must create symlinks to 99-odc .
Approving Scout / MDC requests

See also RTL below. See Approving_MDC_Scout_Requests for process and criteria for approving requests.

Data steward accounts

Data Stewards can get access from outside via AppTracker to view projects that use their Data.

  • 2018-03-06 Procedure still requires PDS administrator intervention
    1. Add user to PDS, and member of group dar-datastewards. Some users have a separate login with "-ds" suffix to avoid interference with researcher account (?). No VPN or Yubikey required. [Normally done by DAU]
    2. Add user to AppTracker. [Normally done by DAU]
    3. Tie AppTracker ID(Ex: ahobbs) to PDS ID (Ex: ahobbs-ds). If more than one, double-check the numeric ID. [Normally done by DAU]
    4. Finally a PDS admin enables external access to AppTracker: https://pds.popdata.bc.ca/admin add to Track -> Pm data stewardss
      • Org: Select (if multiple entries, ask Tim which)
      • Notes:
      • Party: PDS user (Ex: "Amy Hobbs (1607)" is ahobbs-ds). Sorted by last name; Type first name to quickly scroll down.
      • Primary contact ind.: "Yes" for DAU to email updates to Primary contact; "Unkown is OK.
      • View proj ind.: "Yes" to allow this Data Steward to view SRE projects in Apptracker from outside.

Course student accounts

Mostly created by the RLU or Anne Greenwood using PDS.

  • 3 variations: SRTL / RTL / free courses
  • Since 2012-apr membership in group sre-users not needed, only rtl-users or srtl-users as appropriate.
  • SRTL: Since 2013-03 PDS works great, offering editing of VPN groups, changing password and sending email.


Self-service account creation - RTL MDC Scout REDCap ...
  1. User visits my.popdata web page https://my.popdata.bc.ca/accounts/register/
    • Asked Name, Email, Situation (most required), accept privacy policy, passphrase (twice).
    • portal-templates/registration/registration_complete.html says
      "Registration Complete // Approval and Email // Your account will be reviewed by staff within 2 business days. // Your user login is: xxxxx".
    • users/register/__init__.py mentions send_activation_email in doc string for register().
      2016 sample preliminary confirmation(needs clarification)
    • 2017-02-08 propose Change text to:
      Registration Queued // Please Wait for Approval Email // Your account will be reviewed by staff within 2 business days. Please be patient. // If approved you will receive an email containing an activation link, along with instructions for activating your account. // Your user login is: xxxxx -- you will need to remember this as well as the passphrase you just entered if/when the approval is processed in a day or two.
    • pds.log (and PDS log for user) shows: "Added USERNAME to group rtl-users"; "Registered user FULL NAME (username) ". Email sent to IT (from IT) "Account request needs approval".
  2. IT (or other staff) visits https://pds.popdata.bc.ca/users/approve/ (users/views.py) and sees list of new requests; either approve or delete requests. pds.log shows "Sending activation email for ..." or "Deleting account request for ...".
  3. Approval email 'From:' address is now 'rtl@popdata.bc.ca' (pds/settings.py:203:DEFAULT_FROM_EMAIL) ;
    • referenced in /usr/share/pyshared/registration/models.py: self.user.email_user(subject, message, settings.DEFAULT_FROM_EMAIL)
      From: rtl@popdata.bc.ca
      Subject: Activate your my.popdata.bc.ca account - you have 14 days!
      A message from Population Data BC
      Someone, hopefully you, signed up for a new account at my.popdata.bc.ca using this email address. If it was you, and you'd like to activate and use your account, click the link below or copy and paste it into your web browser's address bar:
      https://my.popdata.bc.ca/accounts/activate/8a8bd173a9ad9ea5d61cae6455956581de7f0851/
      If you didn't request this, you don't need to do anything; you won't receive any more emails from us, and the account will expire automatically in 14 days.
  4. Client clicks on link in activation email. pds.log shows "Activated registration for ..."
    • Client invited to login to my.podpata using login assigned and password entered at registration.
    • Should change wording: [1] explain passphrase.
PDS logs for self-service accounts
  • Form filled by user:
    pds.log 3 lines INFO ... ldaputil:create_user ... uid=testuser
    pds.log 4 lines INFO ... POST from /accounts/register/ by AnonymousUser ... Registered user Test User (testuser) ...
    PDS user "Log" section: (anonymous): Added testuser to group rtl-users
  • Approved by staff; activation email sent to user:
    3-4 lines INFO ... POST from /users/approve/... by Ryoko ... Sending activation ... Enabling Metadata Central ... group mdc-users
    nothing in PDS user "Log" section
  • User clicks on activation link:
    pds.log 1 line INFO ... GET from /accounts/activate/
    PDS user "Log" section: (anonymous): Activated registration for Test User (testuser)
RTL user forgets password and/or username
  • If they have never logged in and have no other presence on PopData servers, it's simplest to delete account and reply:
  In the case of a user who has never logged in, we delete the unused account and invite
  you to please start over at https://my.popdata.bc.ca/accounts/register/ .
  Make sure you make note of the passphrase you create on that form, and the username assigned to you.
  You will receive an activation email within 2 business days.
  • Otherwise
   Your passphrase has been reset. Please login to https://my.popdata.bc.ca/password and change it to something only you know.
   Temporary passphrase:
Process for creating SRTL course-specific accounts
  1. Login to PDS https://pds.popdata.bc.ca
  2. In PDS, find or create primary (un-dashed) accounts for each student.
    • For a new account, you make up a secure temporary password and later give it to the student with instructions to change it immediately. Account names should be short and not contain punctuation (especially not dashes).
    • To find an existing account, the easiest is to use a search box. In the "User Search" box"near the top searches all categories of accounts enter (part of) student's name or account name, press Enter to display a list of matches, and click on the correct (un-dashed) primary account.
      1. At bottom click on "Create Project Login" to create secondary account.
      2. Select project group "phda-03" or "spph-537" or as appropriate.
      3. If asked for a password, it needs to be unguessable, but it's just a temporary placeholder which the user never needs to know. Use the default passphrase proposed by PDS.
      4. PDS should have added the new project login to the group specified, but generally the student's course account should not have membership in group "srtl-users" until they have passed privacy test.
  3. For VPN access, usually Ann will distribute the YubiKey fobs and register them for each student's primary account, but not assign access to VPN group "srtl" until privacy test passed.
  • The intermediate state will be:
    • Primary account has VPN group SRTL and a YubiKey, but is not activated for SRTL and is not member of course group.
    • Secondary course account has no VPN access and no YubiKey, but is member of course group, and after passing quiz gets activated for SRTL (and appears in group srtl-users).
    • Before first use of secondary "dashed" account,
      1. student must login using primary account at https://my.popdata.bc.ca/account/login/ and change password for primary account, making sure that the checkbox is on for updating secondary accounts. This process propagates the password to the server for SRTL Remote Desktop authentication.
      2. instructor must activate primary account for SRTL VPN, and activate course account for SRTL (Windows access).
  • Process for deactivating a course account.
    • Removing membership in srtl-members for course-specific account is sufficient for temporary deactivation, as it blocks Remote Desktop access.
    • After end of course, membership in course group should also be removed, so that after the archive-and-delete process "srtl-archive-students" is run the folders are not re-created an hour later. See Courses#Archive_and_delete_course_user_directories

Guest accounts "test-user"

  • If a test user account allows VPN login without YubiKey (ex: RTL), it should not allow access to SRE or SRTL

Capitalization in username

  • Random CapiTaliZatioN of username will be accepted by VPN (AnyConnect), My.Popdata.bc.ca, and Remote Desktop,
    • except that yellowfolder transfer will fail if the username used for RDC does not exactly match the registered one.

Restricted use of temporary passphrase

When PDS is used to resetn a user's passphrase, some systems will not accept login.

  • Training.popdata.bc.ca : login successful with no comment
  • my.popdata.bc.ca : immediately after login, forced to change passphrase
  • VPN (AnyConnect, group=sreyubi):
    • on Mac, blocked with a 30-second delay and no explanation;
    • on Windows, "Login denied. Your password has expired. You must update your password first at https://my.popdata.bc.ca"
    • in Cabot /var/lib/vpm/vpn-session-logs/'YYYY-MM-DD' : "Connection terminated by the following DAP records: update-password"

UBC CWL accounts

Most people working at UBC need a CWL account to use * WiFi * myVPN.ubc.ca * view Payslips * etc...

Account Updates

Propagation and caching

  • After changing group membership, the old information (or old absence of information) can remain cached on various hosts
    • To get SRE file-servers (Fraser Drake Noyon Verendrye) to pay attention to new changes in group membership
      • sudo nscd --invalidate group



Account Lifecycle - disabling, deleting

  • When temporarily disabling an account, administrator should make sure that appropriate access is also removed

Disabling SRE accounts

    • SRE project account: remove sre-user access from project account(s).
    • [soon] PDS group page will offer a button to remove "sre-user" membership from all users in project.
    • Disconnect user from Remote Desktop sessions. Depending on the urgency, you should speak with the researcher before disconnecting their session. Check https://pds.popdata.bc.ca/radm/sreinfo/ or the project page. From a CMD or PowerShell window, type e.g. "quser /server:sre10" to find idle time and session number, then "tsdiscon /v /server:sre10 23" (if quser reported session 23). Their session will continue for 12 hours, but they won't be able to get back in until their "sre-users" membership is restored.
    • Other SRE projects: if user being blocked has other projects, ask Kaitlyn for opinion on blocking it too.
      • Not necessary to remove SRE VPN from parent account, or membership in project.
      • SAMBA on fileservers (R: drive and external share) requires "sre-users" at connect time; Windows on SRE machines requires same at connect time. Removing "sre-users" will not interfere with an existing Remote Desktop session, nor with its access to R: drive, but it will block future login, including reconnect.
      • Caching delays: for Windows Remote Desktop there seems to be no delay; for SAMBA file-shares caching is 60s (nscd.conf), so changes in PDS propagate in 30s on average.

Others

    • Staff account: remove popdata vpn access but leave YubiKey; remove membership in admins, data-in, otrs, pds-admins, popdata-staff, popdata-wiki, redzone, rlu ...

Notes

  • disabling can be reversed.
  • in many cases the owner of the account has another project account

Permanent disabling

For permanent disabling, procedure must be refined or invented for the following steps in account lifecycle:

  • disable account's access to project folders (group membership); SRE machine login; VPN login if appropriate (either return of SecurID or ...)
  • after a while move account's files to an archive (compressed tar?), and delete account folders to reduce user-visible clutter. On SRE this includes subfolders of users, projects, Import/Export and corresponding external share together with links...
  • eventually delete account from LDAP, Django and Active Directory.
  • after [years?] delete archive.

Disabling RTL accounts

  • RTL-only accounts should get deleted after a few months. 2014-11-10 there are 876.
    • Criteria for labelling "rtl-only": VPN groups: only "rtl" or none; LDAP groups: may include rtl-users, course-ashg101, course-ashg201, researchers; no secondary accounts.
      • Program list-users-rtl-only.py on Sullivan under /home/www/pds/bin/ lists 876 in pds/logs/SRE-lists/rtl-users-141110.tab
    • The groups course-ashg101 & course-ashg201 are obsolete. There are 271 rtl-only (301 total) members of one or both of those free courses.
    • No files get deleted, but when account is deleted , listings show owner as numeric instead of name. E.g. deleted AAmparo, and "ls -ld /data/rtl/users/AAmparo" shows "5109".
    • Unfortunately numeric UIDs get quickly recycled; 4 days after deleting AAmparo, the owner is "qliu".

Creating / Disabling SRTL accounts

See Courses#Expiry_.2F_disabling_of_course_users

Account Deletion/Deactivation (places to remove)

  1. Ask Maria to remove the alarm code
  2. Access Control Management database (https://www.acms.ubc.ca/)
    • Door fob/UBC card. Set expiry date to yesterday, thus leaving a history and allowing quick reactivation.# yubikey (remove the yubikey from pds)
  3. Zimbra (https://mail.popdata.bc.ca/)
  4. pds (pds.popdata.bc.ca)
    • Do not delete. Reset password and remove the account from groups.
    • Deleting user in PDS also deletes records in LDAP (including VPN and other groups) & Active Directory, but not files.
  5. ldap (http://ldap.popdata.bc.ca/phpldapadmin/)
    • Remove user from ldap ONLY specially requested case.
  6. django (https://pds.popdata.bc.ca/admin/)
    • Remove user from django ONLY specially requested case.
  7. Active directory (YZ server:gilbert, YZ domain:popdata, RZ server:Beare, RZ domain:redzone)
    • Disable account, not remove.
  8. Folders & Files on YZ:Fraser, RZ:George2
    • Keep them until archive request arrives.
    • Individual servers
  9. drupal
  • ?? moodle (most accounts are set up in PDS, but there are a few (e.g. "rlu") private to Moodle)