The management of the Google Search Console is unfortunately quite limited. We can delegate access to invidual Google accounts, but that is only possible per sub domain and needs to be done manually by clicking through menus. So we're technically unable to grant access to the Search Console for all our domains, but we can arrange access for a sensible subset (which will probably be okay for their purposes).

I'm not sure how Google Tag Manager relates to Search Console, is it managed via the same admin credentials? If it's distinct, then from what I can tell it's currently not something managed by the passwords we maintain in SRE.

In T192893#4153694, @MoritzMuehlenhoff wrote:

The management of the Google Search Console is unfortunately quite limited. We can delegate access to invidual Google accounts, but that is only possible per sub domain and needs to be done manually by clicking through menus. So we're technically unable to grant access to the Search Console for all our domains, but we can arrange access for a sensible subset (which will probably be okay for their purposes).

I suspect a subset of about 20 projects would be sufficient for their analysis, and I'm checking with Go Fish about that. If they're good with it, I'll post the specific list of projects here.

I'm not sure how Google Tag Manager relates to Search Console, is it managed via the same admin credentials? If it's distinct, then from what I can tell it's currently not something managed by the passwords we maintain in SRE.

I've read up on Google Tag Manager, and according to Google's documentation it involves putting code in our site that talks to their servers and lets us perform modifications from their site. That's definitely not something we currently use, and it's not something we ever will.

@MoritzMuehlenhoff: Is the above all that is needed to grant this access? I've not dealt with the google search console before, so I'm not sure how we should review this request and how to grant it.

Please note I'm attempting to triage and process this as part of my duties this week as SRE clinic duty. As such, I may make a mistake below, and apologize in advance. I've not dealt with the google search console, and my understanding of our process may be flowed.

The only other google search console request task is pending @mark's review and approval of the rights to be given out. After a quick chat with @MoritzMuehlenhoff via IRC, it seems like this may be something we need @mark to review and approve (third party contractors getting a google console account.

I'm also not sure if there has been proper NDA review, and I'm guessing we need to know who is using the account, and something stating they won't share it beyond those two people?

Once that access is approved (by @mark or @faidon) then we can setup a single account for Go Fish Digital to use on our google search console. That account will have to have the below list of sub-domains/projects added to their account, allowing them the ability to review search engine optimizations with our Audiences team.

In T192893#4182442, @Deskana wrote:

Okay, I think we've got what we need now! Here's the 20 wikis they need:

• Wikipedias:
  • English
  • Spanish
  • German
  • Russian
  • Japanese
  • French
  • Italian
  • Portuguese
  • Polish
  • Chinese
• English Wiktionary
• English Wikiquote
• English Wikibooks
• English Wikisource
• English Wikispecies
• English Wikinews
• English Wikiversity
• English Wikivoyage
• Wikimedia Commons
• Wikidata

If all the above is accurate, I'll make sure to bring this up in our SRE team meeting next Monday (or with @mark directly before then if possible.)

I've emailed out to the SRE team in an attempt to hammer down the details/process for these requests.

I'm not sure if this needs my approval, but if it does, it has it, as long as:

• The console data contain PII, so an NDA would be absolutely required with whomever we'd need to give access to this. Presumably this company is under a contract with us and that probably includes a confidentiality clause? @Deskana, can you confirm?
• Without knowing much about this, this sounds like a one-off project, that has a start and an end date -- is that right? If so, we should make sure to revoke access to that account when the project is over (and especially if the contract, alongside its confidentialy clause, expires). We have an "expiration date" field for shell accounts, so we could do something similar here.

In T192893#4185804, @faidon wrote:

I'm not sure if this needs my approval, but if it does, it has it, as long as:

• The console data contain PII, so an NDA would be absolutely required with whomever we'd need to give access to this. Presumably this company is under a contract with us and that probably includes a confidentiality clause? @Deskana, can you confirm?

Confirmed. They've signed an agreement covering our privacy policy, data retention, and data security requirements that was drafted by Legal and Security, so we are good to go there.

• Without knowing much about this, this sounds like a one-off project, that has a start and an end date -- is that right? If so, we should make sure to revoke access to that account when the project is over (and especially if the contract, alongside its confidentialy clause, expires). We have an "expiration date" field for shell accounts, so we could do something similar here.

Sorry, I should have given a bit more detail. Yes, it's a one-off project. Adding an expiration date sounds fine to me. This project is expected to last a few months, so how about 2018-08-01? That should be more than enough time, and access can be revoked earlier if the project is completed earlier.

Thanks @Deskana :) I think that all seems sufficient and we should just go ahead with this. 2018-08-01 sounds reasonable, and we can always extend this if there's a need.

Maybe @MoritzMuehlenhoff can execute this?

(FWIW, we discussed internally yesterday the question of the process for granting and revoking access to the search console, but I don't consider this a blocker for this particular request)

In T192893#4190022, @faidon wrote:

Thanks @Deskana :) I think that all seems sufficient and we should just go ahead with this. 2018-08-01 sounds reasonable, and we can always extend this if there's a need.

Maybe @MoritzMuehlenhoff can execute this?

I can take care (but when it has been properly documented in wikitech it should be part of regular clinic duty like other access requests). Only next week, though since I'm off Thu/Fri and have a long list of TODOs for today. If this is needed earlier, this should be handled as part of this week's clinic duty.

In T192893#4190022, @faidon wrote:

Thanks @Deskana :) I think that all seems sufficient and we should just go ahead with this. 2018-08-01 sounds reasonable, and we can always extend this if there's a need.

Maybe @MoritzMuehlenhoff can execute this?

(FWIW, we discussed internally yesterday the question of the process for granting and revoking access to the search console, but I don't consider this a blocker for this particular request)

https://wikitech.wikimedia.org/wiki/Google_Search_Console_access is updated with instructions on the steps required to get search console access.

In T192893#4193791, @MoritzMuehlenhoff wrote:

I can take care (but when it has been properly documented in wikitech it should be part of regular clinic duty like other access requests). Only next week, though since I'm off Thu/Fri and have a long list of TODOs for today. If this is needed earlier, this should be handled as part of this week's clinic duty.

It can't really wait until next week. Money is being spent on this engagement with Go Fish, so delays are essentially costing us money. Let me know if I can help speed it up somehow.

@Deskana: It looks like we still need the following:

• The names and a shared email address if these two users will share an account.
  • The login is tied to an email address.
• @RStallman-legalteam to confirm Go Fish Digital (and the two users in question) have signed NDAs with WMF legal.

Once that is done, I've confirmed I can login to the google search console as the noc user, and should be able to set them up with new accounts.

@Deskana: It looks like we still need the following:

• The names and a shared email address if these two users will share an account.
  • The login is tied to an email address.
• @RStallman-legalteam to confirm Go Fish Digital (and the two users in question) have signed NDAs with WMF legal.

We discussed this account creation within the SRE team meeting earlier this week, and as long as we have the above, we should be good to continue.

Once we have that, I can create the user, with a calendar alarm (set to notify Mortiz, Deskana, and myself on the ops maint calendar) to disable this access on 2018-08-01.

I've confirmed I can login to the google search console as the noc user, and should be able to set them up with new accounts, once we have the above.

Additionally, I've done a first round attempt at documenting this on google search console access, which is linked off of Getting SRE Team Help

Thank you, @RobH!

In T192893#4194388, @RobH wrote:

• The names and a shared email address if these two users will share an account.
  • The login is tied to an email address.

The email you can use is admin2@gofishdigital.com.

I don't know specifically who at Go Fish is going to access the console. I've spoken to probably around 10 people there, and any one of them might access the console. If you need a specific name, you can use Mia Ficken, who is their project manager that I've been in touch with.

In T192893#4194394, @RobH wrote:

• @RStallman-legalteam to confirm Go Fish Digital (and the two users in question) have signed NDAs with WMF legal.

@JbuattiWMF should be able to help with this, too.

@RobH Just a friendly nudge, since I believe this is no longer "Awaiting user input" as the column on your board indicates (and is time-sensitive). Thanks!

@JKatzWMF: Rest assured, I'm well aware of the time sensitivity. This is currently awaiting WMF legal approval within an email thread that includes both @Deskana and myself. I've been syncing up with @Deskana regularly, as both of us try to move this along.

Please note that in addition to the email thread, I've documented the process for requesting google search console access off the Getting help from SRE Team page.

So once we have the WMF legal signoff, I'm prepared to go in and setup the single user email on 20 https accounts as a restricted user (least amount of rights.) I can also add them to the HTTP domains, but since we redirect them to HTTPS, not sure if it is needed.

Confirming that the Master Services Agreement we have on file with Go Fish has an NDA, so all set there.

/me tiptoes away, embarrassed. Sorry, @RobH. Classic outsider move and I'll back off. Thanks for the additional work you're putting into standardizing this, as well. It is very much appreciated!!

In T192893#4200827, @JKatzWMF wrote:

/me tiptoes away, embarrassed. Sorry, @RobH. Classic outsider move and I'll back off. Thanks for the additional work you're putting into standardizing this, as well. It is very much appreciated!!

No worries! I hadn't updated the task and you cannot be expected to know about an email thread that you weren't on!

The email thread with legal seems to have reached a conclusion in support, so I'm now in the process of adding admin2@gofishdigital.com to the subdomains:

In T192893#4182442, @Deskana wrote:

Okay, I think we've got what we need now! Here's the 20 wikis they need:

• Wikipedias:
  • English
  • Spanish
  • German
  • Russian
  • Japanese
  • French
  • Italian
  • Portuguese
  • Polish
  • Chinese
• English Wiktionary
• English Wikiquote
• English Wikibooks
• English Wikisource
• English Wikispecies
• English Wikinews
• English Wikiversity
• English Wikivoyage
• Wikimedia Commons
• Wikidata

I'm just adding them to the HTTPS version of the sites, since that is already 20 settings page changes. I'll add the user as restricted to each domain.

@RobH Thank you! Does their access also cover the mobile domains, such as en.m.wikipedia.org? I'm sorry for not being more explicit about that in the original description.

@RobH I'm very sorry for the moving goalposts. This is completely my fault for not making the request clear enough.

Adding the mobile domains for only the English Wikipedia would be sufficient; with HTTP and HTTPS, that's only two additional domains, so shouldn't be too much work. They seem satisfied with everything else they've got, so this should hopefully be the last shift in the goal posts.

In T192893#4462800, @RobH wrote:

Ok, this is set to expire on 2018-08-01. By expire, I mean my google calendar reminds me to manually login and pull up these dozen domains (with most having https and http versions) and pulling this admin2@gofishdigital.com off of each of the domains.

@Deskana: Would you be able to provide feedback if this user needs to keep access for now? If they need to keep it past 2018-08-01, when should we set the next reminder for expiry check?

Their work is finished, so their access can be removed.

I've really appreciated your help throughout this process. Thanks!

Ok, parsing the above task and comments (which I reference below), we had a number of domains to remove them from. The comments below list them out, plus the addition of 'every' version of en.wikipedia.org in the console (http/https/m/non-m of each).

I've removed admin2@gofishdigital.com from each of the entries.

Since this is a third party contractor in the google search console, I wouldn't mind another SRE team member double-checking to ensure I didn't miss anything.

In T192893#4209110, @RobH wrote:

In T192893#4209078, @RobH wrote:

The email thread with legal seems to have reached a conclusion in support, so I'm now in the process of adding admin2@gofishdigital.com to the subdomains:

In T192893#4182442, @Deskana wrote:

Okay, I think we've got what we need now! Here's the 20 wikis they need:

• Wikipedias:
  • English
  • Spanish
  • German
  • Russian
  • Japanese
  • French
  • Italian
  • Portuguese
  • Polish
  • Chinese

• English Wiktionary No HTTPS, added to HTTP entry.
• English Wikiquote No HTTPS, added to HTTP entry.
• English Wikibooks No HTTPS, added to HTTP entry.

• English Wikisource
• English Wikispecies

• English Wikinews - No HTTPS, added to HTTP entry.

• English Wikiversity - Doesn't have entry, not added.

• English Wikivoyage
• Wikimedia Commons
• Wikidata

Unless otherwise noted in line, I've added admin2@gofishdigital.com as a restricted user to the HTTPS version of the domains listed above. I've also created a gcal entry on the SRE maint-announce calendar to email for 2018-08-01 to email to @Deskana, @faidon, @MoritzMuehlenhoff, and myself. At that time, we'll need to sync up and ensure someone removes access.

This should resolve this request. If anything isn't correct, please re-open!

In T192893#4210945, @Deskana wrote:

@RobH I'm very sorry for the moving goalposts. This is completely my fault for not making the request clear enough.

Adding the mobile domains for only the English Wikipedia would be sufficient; with HTTP and HTTPS, that's only two additional domains, so shouldn't be too much work. They seem satisfied with everything else they've got, so this should hopefully be the last shift in the goal posts.