Administrative access¶
See the Deploy documentation for access to self-hosted services, like servers, PostgreSQL, Kingfisher, Pelican and Prometheus.
If a service is down, check its status page:
These preferred services don’t have individual user accounts:
Ahrefs (requires account upgrade)
Fathom
Fixer
Hetzner
Note
If you are a consultant, do not use or create your own organizational accounts on services like Fixer, Prerender, Docker Hub, etc. All organizational accounts must be owned by OCP.
See also
Preferences, for the context in which these services are used.
Amazon Web Services¶
There should be a minimum of two IAM users in the administrators group from OCP only. The root user should not be used.
Cloudflare¶
There should be a minimum of two users from OCP with “Super Administrator - All Privileges” access to “All domains”.
Third-party sysadmins can be added with “Administrator” access to “All domains”.
Figma¶
There should be a minimum of two admins from OCP.
You can sort by Last active and remove seats from users who were last active more than 6 months ago.
GitHub¶
There should be a minimum of two owners from OCP only. Owners do not need to be added to teams.
The ocp-deploy
user generates personal access tokens to:
read and write to ocp-data from the OCP Form Server on Heroku (fine-grained)
auto-commit from lint workflows to selected repositories (classic)
Tip
Use the org:owners task to check the configuration.
See also
GoDaddy¶
See also
DNS in the Deploy documentation
There should be a minimum of two accounts from OCP only at the “Products, Domains, & Purchase” access level.
Third-party sysadmins can be added with “Delegate” access.
Google¶
Note
For web analytics, use Fathom instead.
Admin¶
There should be a minimum of two Super Admin users from OCP only.
Cloud Platform¶
Note
Use Amazon Web Services, unless an application requires access to Google-exclusive services like Google Drive.
There should be a minimum of two Organization Administrator users from OCP only.
Periodically review all projects. To view a project’s history, click its Activity tab. To view a project’s resources, click its Dashboard tab. Projects include:
Library (two storage buckets)
Pelican (IAM user)
Website Search (API key)
If an administrator lacks access to a project, run, for example:
gcloud projects add-iam-policy-binding ocds-172716 --member user:jmckinney@open-contracting.org --role roles/owner
If the user interface lacks access to an organization, run, for example:
gcloud organizations add-iam-policy-binding organizations/1015889055088 --member domain:open-contracting.org --role roles/recommender.viewer
Drive¶
All users with access to the Data & Technology folder should belong to OCP only.
Groups¶
There should be a minimum of two Owner members from OCP only.
Heroku¶
For each app, a minimum of two collaborators from OCP only, including the owner.
Third-party sysadmins can be added with “Collaborator” access.
LastPass¶
There should be a minimum of two Manager users from OCP, including the sysadmin
user.
Third-party sysadmins can be added with “Member” access to the “Servers” and “Sysadmin” folders.
Linode¶
There should be a minimum of two users with Full account access from OCP.
Third-party sysadmins can be added with “Full” access.
Microsoft¶
Note
Use Amazon Web Services instead of Azure, unless an application requires access to Microsoft-exclusive services like Power BI, or a partner requires it.
Tip
Check Fabric Capacity in the Microsoft Fabric (Power BI) Admin portal.
There should be a minimum of two users with the Global Administrator role from OCP.
Third-party sysadmins can be added with “Global Administrator” access.
PyPI¶
For each package, there should be a minimum of two Owner users from OCP, including the opencontracting user, whose API token is used in pypi.yml workflows.
Only users who are reasonably expected to upload releases should have the Maintainer role.
If a third-party organization maintains a package, there can be one user from that organization with the Owner role to add maintainers (e.g. OpenDataServices
).
ReadTheDocs¶
There should be a minimum of two users with the Maintainer role from OCP.
Third-party maintainers can be added to the package’s associated ReadTheDocs project, including organizational accounts (e.g. opendataservices
).
SecurityScorecard¶
The Free Plan has no people management.
Third-party sysadmins can be added.
Sentry¶
There should be a minimum of two members with the Owner role and one member with the Billing role from OCP.
Third-party developers can be added with the Admin or Member role to organization-specific teams for specific projects.
Third-party sysadmins can be added with “Member” access.
Test PyPI¶
For each package, the opencontracting user can be the single Owner, whose API token is used in pypi.yml workflows.
Transifex¶
There should be a minimum of two Administrators from OCP only.
If we reach our collaborator limit, manage collaborators, removing those who were last seen more than 9 months ago.
WordFence¶
There should be a minimum of two members from OCP. There can only be one Owner user.
Third-party sysadmins can be added with “Member” access.
WordPress (self-hosted)¶
There should be a minimum of two Administrator users from OCP.
Third-party sysadmins can be added with “Administrator” access.