Administrative access

See the Deploy documentation for access to self-hosted services, like servers, PostgreSQL, Kingfisher, Pelican and Prometheus.

If a service is down, check its status page:

• Amazon Web Services

• Cloudflare

• GitHub

• GoDaddy

• Google

• Heroku

• LastPass

• Linode

• Microsoft Azure

• PyPI

• ReadTheDocs

• Sentry

• Transifex

• WordFence

These preferred services don’t have individual user accounts:

• Ahrefs (requires account upgrade)

• Fathom

• Fixer

• Hetzner (except Hetzner Cloud)

Note

If you are a consultant, do not use or create your own organizational accounts on services like Fixer, Prerender, Docker Hub, etc. All organizational accounts must be owned by OCP.

See also

Preferences, for the context in which these services are used.

Amazon Web Services

There should be a minimum of two IAM users in the administrators group from OCP only. The root user should not be used.

Cloudflare

There should be a minimum of two users from OCP with “Super Administrator - All Privileges” access to “All domains”.

Third-party sysadmins can be added with “Administrator” access to “All domains”.

Figma

There should be a minimum of two admins from OCP.

You can sort by Last active and remove seats from users who were last active more than 6 months ago.

GitHub

There should be a minimum of two owners from OCP only. Owners do not need to be added to teams.

The ocp-deploy user generates personal access tokens to:

• read and write to ocp-data from the OCP Form Server on Heroku (fine-grained)

• auto-commit from lint workflows to selected repositories (classic)

Tip

Use the org:owners task to check the configuration.

See also

GitHub for maintainers

GoDaddy

See also

DNS in the Deploy documentation

There should be a minimum of two accounts from OCP only at the “Products, Domains, & Purchase” access level.

Third-party sysadmins can be added with “Delegate” access.

Google

Note

For web analytics, use Fathom instead.

Admin

There should be a minimum of two Super Admin users from OCP only.

Cloud Platform

Note

Use Amazon Web Services, unless an application requires access to Google-exclusive services like Google Drive.

There should be a minimum of two Organization Administrator users from OCP only.

Periodically review all projects. To view a project’s history, click its Activity tab. To view a project’s resources, click its Dashboard tab. Projects include:

• Library (two storage buckets)

• Pelican (IAM user)

• Website Search (API key)

If an administrator lacks access to a project, run, for example:

gcloud projects add-iam-policy-binding ocds-172716 --member user:jmckinney@open-contracting.org --role roles/owner

If the user interface lacks access to an organization, run, for example:

gcloud organizations add-iam-policy-binding organizations/1015889055088 --member domain:open-contracting.org --role roles/recommender.viewer

Drive

All users with access to the Data & Technology folder should belong to OCP only.

Groups

• standard-discuss (owners, managers)

There should be a minimum of two Owner members from OCP only.

Heroku

For each app, a minimum of two collaborators from OCP only, including the owner.

Third-party sysadmins can be added with “Collaborator” access.

Hetzner Cloud

There should be a minimum of two admins from OCP, including the sysadmin owner.

Third-party sysadmins can be added with “Member” access.

LastPass

There should be a minimum of two Manager users from OCP, including the sysadmin user.

Third-party sysadmins can be added with “Member” access to the “Servers” and “Sysadmin” folders.

Linode

There should be a minimum of two users with Full account access from OCP.

Third-party sysadmins can be added with “Full” access.

Microsoft

Note

Use Amazon Web Services instead of Azure, unless an application requires access to Microsoft-exclusive services like Power BI, or a partner requires it.

Tip

Check Fabric Capacity in the Microsoft Fabric (Power BI) Admin portal.

There should be a minimum of two users with the Global Administrator role from OCP.

Third-party sysadmins can be added with “Global Administrator” access.

PyPI

For each package, there should be a minimum of two Owner users from OCP, including the opencontracting user, whose API token is used in pypi.yml workflows.

Only users who are reasonably expected to upload releases should have the Maintainer role.

If a third-party organization maintains a package, there can be one user from that organization with the Owner role to add maintainers (e.g. OpenDataServices).

ReadTheDocs

There should be a minimum of two users with the Maintainer role from OCP.

Third-party maintainers can be added to the package’s associated ReadTheDocs project, including organizational accounts (e.g. opendataservices).

SecurityScorecard

The Free Plan has no people management.

Third-party sysadmins can be added.

Sentry

There should be a minimum of two members with the Owner role and one member with the Billing role from OCP.

Third-party developers can be added with the Admin or Member role to organization-specific teams for specific projects.

Third-party sysadmins can be added with “Member” access.

Test PyPI

For each package, the opencontracting user can be the single Owner, whose API token is used in pypi.yml workflows.

Transifex

There should be a minimum of two Administrators from OCP only.

If we reach our collaborator limit, manage collaborators, removing those who were last seen more than 9 months ago.

WordFence

There should be a minimum of two members from OCP. There can only be one Owner user.

Third-party sysadmins can be added with “Member” access.

WordPress (self-hosted)

There should be a minimum of two Administrator users from OCP.

Third-party sysadmins can be added with “Administrator” access.