Administrative access ===================== See the `Deploy documentation `__ for access to self-hosted services, like servers, PostgreSQL, Kingfisher, Pelican and Prometheus. If a service is down, check its status page: - `Amazon Web Services `__ - `Cloudflare `__ - `GitHub `__ - `GoDaddy `__ - `Google `__ - `Heroku `__ - `LastPass `__ - `Linode `__ - `Microsoft Azure `__ - `PyPI `__ - `ReadTheDocs `__ - `Sentry `__ - `Transifex `__ - `WordFence `__ These :doc:`preferred services<../general/preferences>` don't have individual user accounts: - Ahrefs (`requires account upgrade `__) - Fathom - Fixer - Hetzner .. note:: If you are a consultant, **do not** use or create your own organizational accounts on services like `Fixer `__, `Prerender `__, `Docker Hub `__, etc. All organizational accounts must be owned by OCP. .. seealso:: :doc:`../general/preferences`, for the context in which these services are used. Amazon Web Services ------------------- There should be a minimum of two `IAM users `__ in the administrators group from OCP only. `The root user should not be used `__. .. _cloudflare: Cloudflare ---------- There should be a minimum of two `users `__ from OCP with "Super Administrator - All Privileges" access to "All domains". Third-party sysadmins can be added with "Administrator" access to "All domains". Figma ----- There should be a minimum of two `admins `__ from OCP. You can sort by *Last active* and remove seats from users who were last active more than 6 months ago. GitHub ------ There should be a minimum of two `owners `__ from OCP only. Owners do not need to be added to teams. The ``ocp-deploy`` user generates `personal access tokens `__ to: - read and write to `ocp-data `__ from the `OCP Form Server `__ on :ref:`heroku` (fine-grained) - auto-commit from :doc:`lint workflows<../github/maintainers>` to `selected repositories `__ (classic) .. tip:: Use the `org:owners `__ task to check the configuration. .. seealso:: :doc:`GitHub for maintainers<../github/maintainers>` GoDaddy ------- .. seealso:: `DNS `__ in the Deploy documentation There should be a minimum of two `accounts `__ from OCP only at the "Products, Domains, & Purchase" access level. Third-party sysadmins can be added with "Delegate" access. Google ------ .. note:: For web analytics, use `Fathom `__ instead. Admin ~~~~~ There should be a minimum of two `Super Admin `__ users from OCP only. Cloud Platform ~~~~~~~~~~~~~~ .. note:: Use Amazon Web Services, unless an application requires access to Google-exclusive services like Google Drive. There should be a minimum of two `Organization Administrator `__ users from OCP only. Periodically review `all projects `__. To view a project’s history, click its `Activity tab `__. To view a project’s resources, click its `Dashboard tab `__. Projects include: - Library (two storage buckets) - Pelican (IAM user) - Website Search (API key) If an administrator lacks access to a project, run, for example: .. code-block:: bash gcloud projects add-iam-policy-binding ocds-172716 --member user:jmckinney@open-contracting.org --role roles/owner If the user interface lacks access to an organization, run, for example: .. code-block:: bash gcloud organizations add-iam-policy-binding organizations/1015889055088 --member domain:open-contracting.org --role roles/recommender.viewer Drive ~~~~~ All users with access to the `Data & Technology folder `__ should belong to OCP only. Groups ~~~~~~ - `standard-discuss `__ (`owners `__, `managers `__) There should be a minimum of two `Owner `__ members from OCP only. .. _heroku: Heroku ------ For each app, a minimum of two `collaborators `__ from OCP only, including the owner. Third-party sysadmins can be added with "Collaborator" access. LastPass -------- There should be a minimum of two Manager users from OCP, including the ``sysadmin`` user. Third-party sysadmins can be added with "Member" access to the "Servers" and "Sysadmin" folders. Linode ------ There should be a minimum of two `users `__ with Full account access from OCP. Third-party sysadmins can be added with "Full" access. Microsoft --------- .. note:: Use Amazon Web Services instead of Azure, unless an application requires access to Microsoft-exclusive services like Power BI, or a partner requires it. .. tip:: Check *Fabric Capacity* in the Microsoft Fabric (Power BI) `Admin portal `__. There should be a minimum of two `users `__ with the Global Administrator role from OCP. Third-party sysadmins can be added with "Global Administrator" access. .. _pypi-access: PyPI ---- For each package, there should be a minimum of two `Owner `__ users from OCP, including the `opencontracting `__ user, whose API token is used in `pypi.yml workflows `__. Only users who are reasonably expected to upload releases should have the Maintainer role. If a third-party organization maintains a package, there can be one user from that organization with the Owner role to add maintainers (e.g. ``OpenDataServices``). ReadTheDocs ----------- There should be a minimum of two `users `__ with the Maintainer role from OCP. Third-party maintainers can be added to the package's associated ReadTheDocs project, including organizational accounts (e.g. ``opendataservices``). SecurityScorecard ----------------- The `Free Plan `__ has no `people management `__. Third-party sysadmins can be `added `__. Sentry ------ There should be a minimum of two `members `__ with the Owner role and one member with the Billing role from OCP. Third-party developers can be added with the Admin or Member role to organization-specific `teams `__ for specific projects. Third-party sysadmins can be added with "Member" access. Test PyPI --------- For each package, the `opencontracting `__ user can be the single Owner, whose API token is used in `pypi.yml workflows `__. Transifex --------- There should be a minimum of two `Administrators `__ from OCP only. If we reach our collaborator limit, `manage collaborators `__, removing those who were last seen more than 9 months ago. WordFence --------- There should be a minimum of two `members `__ from OCP. There can only be one Owner user. Third-party sysadmins can be added with "Member" access. WordPress (self-hosted) ----------------------- There should be a minimum of two Administrator users from OCP. Third-party sysadmins can be added with "Administrator" access.