Administrative access
=====================
See the `Deploy documentation `__ for access to self-hosted services, like servers, PostgreSQL, Kingfisher, Pelican and Prometheus.
If a service is down, check its status page:
- `Amazon Web Services `__
- `Cloudflare `__
- `GitHub `__
- `GoDaddy `__
- `Google `__
- `Heroku `__
- `LastPass `__
- `Linode `__
- `Microsoft Azure `__
- `PyPI `__
- `ReadTheDocs `__
- `Sentry `__
- `Transifex `__
- `WordFence `__
These :doc:`preferred services<../general/preferences>` don't have individual user accounts:
- Ahrefs (`requires account upgrade `__)
- Fathom
- Fixer
- Hetzner
.. note::
If you are a consultant, **do not** use or create your own organizational accounts on services like `Fixer `__, `Prerender `__, `Docker Hub `__, etc. All organizational accounts must be owned by OCP.
.. seealso::
:doc:`../general/preferences`, for the context in which these services are used.
Amazon Web Services
-------------------
There should be a minimum of two `IAM users `__ in the administrators group from OCP only. `The root user should not be used `__.
.. _cloudflare:
Cloudflare
----------
There should be a minimum of two `users `__ from OCP with "Super Administrator - All Privileges" access to "All domains".
Third-party sysadmins can be added with "Administrator" access to "All domains".
Figma
-----
There should be a minimum of two `admins `__ from OCP.
You can sort by *Last active* and remove seats from users who were last active more than 6 months ago.
GitHub
------
There should be a minimum of two `owners `__ from OCP only. Owners do not need to be added to teams.
The ``ocp-deploy`` user generates `personal access tokens `__ to:
- read and write to `ocp-data `__ from the `OCP Form Server `__ on :ref:`heroku` (fine-grained)
- auto-commit from :doc:`lint workflows<../github/maintainers>` to `selected repositories `__ (classic)
.. tip::
Use the `org:owners `__ task to check the configuration.
.. seealso::
:doc:`GitHub for maintainers<../github/maintainers>`
GoDaddy
-------
.. seealso::
`DNS `__ in the Deploy documentation
There should be a minimum of two `accounts `__ from OCP only at the "Products, Domains, & Purchase" access level.
Third-party sysadmins can be added with "Delegate" access.
Google
------
.. note::
For web analytics, use `Fathom `__ instead.
Admin
~~~~~
There should be a minimum of two `Super Admin `__ users from OCP only.
Cloud Platform
~~~~~~~~~~~~~~
.. note::
Use Amazon Web Services, unless an application requires access to Google-exclusive services like Google Drive.
There should be a minimum of two `Organization Administrator `__ users from OCP only.
Periodically review `all projects `__. To view a project’s history, click its `Activity tab `__. To view a project’s resources, click its `Dashboard tab `__. Projects include:
- Library (two storage buckets)
- Pelican (IAM user)
- Website Search (API key)
If an administrator lacks access to a project, run, for example:
.. code-block:: bash
gcloud projects add-iam-policy-binding ocds-172716 --member user:jmckinney@open-contracting.org --role roles/owner
If the user interface lacks access to an organization, run, for example:
.. code-block:: bash
gcloud organizations add-iam-policy-binding organizations/1015889055088 --member domain:open-contracting.org --role roles/recommender.viewer
Drive
~~~~~
All users with access to the `Data & Technology folder `__ should belong to OCP only.
Groups
~~~~~~
- `standard-discuss `__ (`owners `__, `managers `__)
There should be a minimum of two `Owner `__ members from OCP only.
.. _heroku:
Heroku
------
For each app, a minimum of two `collaborators `__ from OCP only, including the owner.
Third-party sysadmins can be added with "Collaborator" access.
LastPass
--------
There should be a minimum of two Manager users from OCP, including the ``sysadmin`` user.
Third-party sysadmins can be added with "Member" access to the "Servers" and "Sysadmin" folders.
Linode
------
There should be a minimum of two `users `__ with Full account access from OCP.
Third-party sysadmins can be added with "Full" access.
Microsoft
---------
.. note::
Use Amazon Web Services instead of Azure, unless an application requires access to Microsoft-exclusive services like Power BI, or a partner requires it.
.. tip::
Check *Fabric Capacity* in the Microsoft Fabric (Power BI) `Admin portal `__.
There should be a minimum of two `users `__ with the Global Administrator role from OCP.
Third-party sysadmins can be added with "Global Administrator" access.
.. _pypi-access:
PyPI
----
For each package, there should be a minimum of two `Owner `__ users from OCP, including the `opencontracting `__ user, whose API token is used in `pypi.yml workflows `__.
Only users who are reasonably expected to upload releases should have the Maintainer role.
If a third-party organization maintains a package, there can be one user from that organization with the Owner role to add maintainers (e.g. ``OpenDataServices``).
ReadTheDocs
-----------
There should be a minimum of two `users `__ with the Maintainer role from OCP.
Third-party maintainers can be added to the package's associated ReadTheDocs project, including organizational accounts (e.g. ``opendataservices``).
SecurityScorecard
-----------------
The `Free Plan `__ has no `people management `__.
Third-party sysadmins can be `added `__.
Sentry
------
There should be a minimum of two `members `__ with the Owner role and one member with the Billing role from OCP.
Third-party developers can be added with the Admin or Member role to organization-specific `teams `__ for specific projects.
Third-party sysadmins can be added with "Member" access.
Test PyPI
---------
For each package, the `opencontracting `__ user can be the single Owner, whose API token is used in `pypi.yml workflows `__.
Transifex
---------
There should be a minimum of two `Administrators `__ from OCP only.
If we reach our collaborator limit, `manage collaborators `__, removing those who were last seen more than 9 months ago.
WordFence
---------
There should be a minimum of two `members `__ from OCP. There can only be one Owner user.
Third-party sysadmins can be added with "Member" access.
WordPress (self-hosted)
-----------------------
There should be a minimum of two Administrator users from OCP.
Third-party sysadmins can be added with "Administrator" access.