Page MenuHomePhabricator

Access to Google Search Console for Go Fish Digital
Closed, ResolvedPublic

Description

The Audiences department is currently engaging with Go Fish Digital to help us improve our understanding of search engine optimisation. As part of our engagement with them, they need access to:

  1. Google Search Console (https://www.google.com/webmasters/).
  2. (descoped, WMF doesn't use this) Google Tag Manager (https://www.google.com/analytics/tag-manager/).
  3. (descoped, WMF doesn't use this) Google Analytics (https://www.google.com/analytics/).

They have signed a master service agreement which fully covers our privacy policy, data retention, and data security requirements, and the agreement received signoff from Jim Buatti (in Legal) and Toby (the Chief Product Officer), amongst others.

I suggest creating an account for them with access to these tools, so that access can be easily revoked at a later date, but I'm happy to go with whatever the best practice is here.

(I don't think we actually use Google Analytics, but I'm including it here for the sake of completeness in case I'm wrong about that.)

Event Timeline

Deskana created this task.Apr 24 2018, 11:03 AM
Restricted Application added a project: Operations. · View Herald TranscriptApr 24 2018, 11:03 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

The management of the Google Search Console is unfortunately quite limited. We can delegate access to invidual Google accounts, but that is only possible per sub domain and needs to be done manually by clicking through menus. So we're technically unable to grant access to the Search Console for all our domains, but we can arrange access for a sensible subset (which will probably be okay for their purposes).

I'm not sure how Google Tag Manager relates to Search Console, is it managed via the same admin credentials? If it's distinct, then from what I can tell it's currently not something managed by the passwords we maintain in SRE.

Deskana added a comment.EditedApr 24 2018, 3:03 PM

The management of the Google Search Console is unfortunately quite limited. We can delegate access to invidual Google accounts, but that is only possible per sub domain and needs to be done manually by clicking through menus. So we're technically unable to grant access to the Search Console for all our domains, but we can arrange access for a sensible subset (which will probably be okay for their purposes).

I suspect a subset of about 20 projects would be sufficient for their analysis, and I'm checking with Go Fish about that. If they're good with it, I'll post the specific list of projects here.

I'm not sure how Google Tag Manager relates to Search Console, is it managed via the same admin credentials? If it's distinct, then from what I can tell it's currently not something managed by the passwords we maintain in SRE.

I've read up on Google Tag Manager, and according to Google's documentation it involves putting code in our site that talks to their servers and lets us perform modifications from their site. That's definitely not something we currently use, and it's not something we ever will.

MoritzMuehlenhoff renamed this task from Access to Google Search Console, Tag Manager, and Analytics for Go Fish Digital to Access to Google Search Console for Go Fish Digital.Apr 24 2018, 3:11 PM
Deskana updated the task description. (Show Details)Apr 24 2018, 4:05 PM
herron triaged this task as Medium priority.Apr 24 2018, 6:35 PM
herron moved this task from Untriaged to Awaiting User Input on the SRE-Access-Requests board.
RobH assigned this task to Deskana.Apr 30 2018, 4:53 PM
RobH added a subscriber: RobH.

@Deskana: I'm going to assign this to you directly, as it appears to be awaiting your feedback. Once you have given it, and it is ready for SRE review again, simply unassign yourself as the assignee so it appears to need triage on the SRE-Access-Requests workboard.

Deskana removed Deskana as the assignee of this task.May 4 2018, 3:49 PM

Okay, I think we've got what we need now! Here's the 20 wikis they need:

  • Wikipedias:
    • English
    • Spanish
    • German
    • Russian
    • Japanese
    • French
    • Italian
    • Portuguese
    • Polish
    • Chinese
  • English Wiktionary
  • English Wikiquote
  • English Wikibooks
  • English Wikisource
  • English Wikispecies
  • English Wikinews
  • English Wikiversity
  • English Wikivoyage
  • Wikimedia Commons
  • Wikidata
RobH added a comment.May 4 2018, 4:43 PM

@MoritzMuehlenhoff: Is the above all that is needed to grant this access? I've not dealt with the google search console before, so I'm not sure how we should review this request and how to grant it.

RobH added subscribers: mark, faidon.EditedMay 4 2018, 5:06 PM

Please note I'm attempting to triage and process this as part of my duties this week as SRE clinic duty. As such, I may make a mistake below, and apologize in advance. I've not dealt with the google search console, and my understanding of our process may be flowed.

The only other google search console request task is pending @mark's review and approval of the rights to be given out. After a quick chat with @MoritzMuehlenhoff via IRC, it seems like this may be something we need @mark to review and approve (third party contractors getting a google console account.

I'm also not sure if there has been proper NDA review, and I'm guessing we need to know who is using the account, and something stating they won't share it beyond those two people?

Once that access is approved (by @mark or @faidon) then we can setup a single account for Go Fish Digital to use on our google search console. That account will have to have the below list of sub-domains/projects added to their account, allowing them the ability to review search engine optimizations with our Audiences team.

Okay, I think we've got what we need now! Here's the 20 wikis they need:

  • Wikipedias:
    • English
    • Spanish
    • German
    • Russian
    • Japanese
    • French
    • Italian
    • Portuguese
    • Polish
    • Chinese
  • English Wiktionary
  • English Wikiquote
  • English Wikibooks
  • English Wikisource
  • English Wikispecies
  • English Wikinews
  • English Wikiversity
  • English Wikivoyage
  • Wikimedia Commons
  • Wikidata

If all the above is accurate, I'll make sure to bring this up in our SRE team meeting next Monday (or with @mark directly before then if possible.)

RobH added a comment.May 4 2018, 5:26 PM

I've emailed out to the SRE team in an attempt to hammer down the details/process for these requests.

faidon added a comment.May 7 2018, 8:35 AM

I'm not sure if this needs my approval, but if it does, it has it, as long as:

  • The console data contain PII, so an NDA would be absolutely required with whomever we'd need to give access to this. Presumably this company is under a contract with us and that probably includes a confidentiality clause? @Deskana, can you confirm?
  • Without knowing much about this, this sounds like a one-off project, that has a start and an end date -- is that right? If so, we should make sure to revoke access to that account when the project is over (and especially if the contract, alongside its confidentialy clause, expires). We have an "expiration date" field for shell accounts, so we could do something similar here.

I'm not sure if this needs my approval, but if it does, it has it, as long as:

  • The console data contain PII, so an NDA would be absolutely required with whomever we'd need to give access to this. Presumably this company is under a contract with us and that probably includes a confidentiality clause? @Deskana, can you confirm?

Confirmed. They've signed an agreement covering our privacy policy, data retention, and data security requirements that was drafted by Legal and Security, so we are good to go there.

  • Without knowing much about this, this sounds like a one-off project, that has a start and an end date -- is that right? If so, we should make sure to revoke access to that account when the project is over (and especially if the contract, alongside its confidentialy clause, expires). We have an "expiration date" field for shell accounts, so we could do something similar here.

Sorry, I should have given a bit more detail. Yes, it's a one-off project. Adding an expiration date sounds fine to me. This project is expected to last a few months, so how about 2018-08-01? That should be more than enough time, and access can be revoked earlier if the project is completed earlier.

Thanks @Deskana :) I think that all seems sufficient and we should just go ahead with this. 2018-08-01 sounds reasonable, and we can always extend this if there's a need.

Maybe @MoritzMuehlenhoff can execute this?

(FWIW, we discussed internally yesterday the question of the process for granting and revoking access to the search console, but I don't consider this a blocker for this particular request)

Thanks @Deskana :) I think that all seems sufficient and we should just go ahead with this. 2018-08-01 sounds reasonable, and we can always extend this if there's a need.
Maybe @MoritzMuehlenhoff can execute this?

I can take care (but when it has been properly documented in wikitech it should be part of regular clinic duty like other access requests). Only next week, though since I'm off Thu/Fri and have a long list of TODOs for today. If this is needed earlier, this should be handled as part of this week's clinic duty.

RobH added a comment.May 9 2018, 3:07 PM

Thanks @Deskana :) I think that all seems sufficient and we should just go ahead with this. 2018-08-01 sounds reasonable, and we can always extend this if there's a need.
Maybe @MoritzMuehlenhoff can execute this?
(FWIW, we discussed internally yesterday the question of the process for granting and revoking access to the search console, but I don't consider this a blocker for this particular request)

https://wikitech.wikimedia.org/wiki/Google_Search_Console_access is updated with instructions on the steps required to get search console access.

I can take care (but when it has been properly documented in wikitech it should be part of regular clinic duty like other access requests). Only next week, though since I'm off Thu/Fri and have a long list of TODOs for today. If this is needed earlier, this should be handled as part of this week's clinic duty.

It can't really wait until next week. Money is being spent on this engagement with Go Fish, so delays are essentially costing us money. Let me know if I can help speed it up somehow.

@Deskana: It looks like we still need the following:

  • The names and a shared email address if these two users will share an account.
    • The login is tied to an email address.
  • @RStallman-legalteam to confirm Go Fish Digital (and the two users in question) have signed NDAs with WMF legal.

Once that is done, I've confirmed I can login to the google search console as the noc user, and should be able to set them up with new accounts.

RobH added a comment.May 9 2018, 3:36 PM

@Deskana: It looks like we still need the following:

  • The names and a shared email address if these two users will share an account.
    • The login is tied to an email address.
  • @RStallman-legalteam to confirm Go Fish Digital (and the two users in question) have signed NDAs with WMF legal.

We discussed this account creation within the SRE team meeting earlier this week, and as long as we have the above, we should be good to continue.

Once we have that, I can create the user, with a calendar alarm (set to notify Mortiz, Deskana, and myself on the ops maint calendar) to disable this access on 2018-08-01.

I've confirmed I can login to the google search console as the noc user, and should be able to set them up with new accounts, once we have the above.

Additionally, I've done a first round attempt at documenting this on google search console access, which is linked off of Getting SRE Team Help

Thank you, @RobH!

  • The names and a shared email address if these two users will share an account.
    • The login is tied to an email address.

The email you can use is admin2@gofishdigital.com.

I don't know specifically who at Go Fish is going to access the console. I've spoken to probably around 10 people there, and any one of them might access the console. If you need a specific name, you can use Mia Ficken, who is their project manager that I've been in touch with.

  • @RStallman-legalteam to confirm Go Fish Digital (and the two users in question) have signed NDAs with WMF legal.

@JbuattiWMF should be able to help with this, too.

@RobH Just a friendly nudge, since I believe this is no longer "Awaiting user input" as the column on your board indicates (and is time-sensitive). Thanks!

RobH added a comment.May 11 2018, 5:11 PM

@JKatzWMF: Rest assured, I'm well aware of the time sensitivity. This is currently awaiting WMF legal approval within an email thread that includes both @Deskana and myself. I've been syncing up with @Deskana regularly, as both of us try to move this along.

RobH added a comment.May 11 2018, 5:13 PM

Please note that in addition to the email thread, I've documented the process for requesting google search console access off the Getting help from SRE Team page.

So once we have the WMF legal signoff, I'm prepared to go in and setup the single user email on 20 https accounts as a restricted user (least amount of rights.) I can also add them to the HTTP domains, but since we redirect them to HTTPS, not sure if it is needed.

Confirming that the Master Services Agreement we have on file with Go Fish has an NDA, so all set there.

JKatzWMF added a comment.EditedMay 11 2018, 5:19 PM

/me tiptoes away, embarrassed. Sorry, @RobH. Classic outsider move and I'll back off. Thanks for the additional work you're putting into standardizing this, as well. It is very much appreciated!!

RobH added a comment.May 11 2018, 5:31 PM

/me tiptoes away, embarrassed. Sorry, @RobH. Classic outsider move and I'll back off. Thanks for the additional work you're putting into standardizing this, as well. It is very much appreciated!!

No worries! I hadn't updated the task and you cannot be expected to know about an email thread that you weren't on!

RobH added a comment.May 15 2018, 10:07 PM

The email thread with legal seems to have reached a conclusion in support, so I'm now in the process of adding admin2@gofishdigital.com to the subdomains:

Okay, I think we've got what we need now! Here's the 20 wikis they need:

  • Wikipedias:
    • English
    • Spanish
    • German
    • Russian
    • Japanese
    • French
    • Italian
    • Portuguese
    • Polish
    • Chinese
  • English Wiktionary
  • English Wikiquote
  • English Wikibooks
  • English Wikisource
  • English Wikispecies
  • English Wikinews
  • English Wikiversity
  • English Wikivoyage
  • Wikimedia Commons
  • Wikidata

I'm just adding them to the HTTPS version of the sites, since that is already 20 settings page changes. I'll add the user as restricted to each domain.

RobH closed this task as Resolved.EditedMay 15 2018, 10:26 PM
RobH claimed this task.

The email thread with legal seems to have reached a conclusion in support, so I'm now in the process of adding admin2@gofishdigital.com to the subdomains:

Okay, I think we've got what we need now! Here's the 20 wikis they need:

  • Wikipedias:
    • English
    • Spanish
    • German
    • Russian
    • Japanese
    • French
    • Italian
    • Portuguese
    • Polish
    • Chinese
  • English Wiktionary No HTTPS, added to HTTP entry.
  • English Wikiquote No HTTPS, added to HTTP entry.
  • English Wikibooks No HTTPS, added to HTTP entry.
  • English Wikisource
  • English Wikispecies
  • English Wikinews - No HTTPS, added to HTTP entry.
  • English Wikiversity - Doesn't have entry, not added.
  • English Wikivoyage
  • Wikimedia Commons
  • Wikidata

Unless otherwise noted in line, I've added admin2@gofishdigital.com as a restricted user to the HTTPS version of the domains listed above. I've also created a gcal entry on the SRE maint-announce calendar to email for 2018-08-01 to email to @Deskana, @faidon, @MoritzMuehlenhoff, and myself. At that time, we'll need to sync up and ensure someone removes access.

This should resolve this request. If anything isn't correct, please re-open!

@RobH Thank you! Does their access also cover the mobile domains, such as en.m.wikipedia.org? I'm sorry for not being more explicit about that in the original description.

RobH reopened this task as Open.EditedMay 16 2018, 7:10 PM

For clinic duty: This is NO LONGER BLOCKED BY @RobH, anyone on clinic duty can follow the directions on https://wikitech.wikimedia.org/wiki/Google_Search_Console_access to add/modify/edit the admin2@gofishdigital.com as restricted (unless otherwise noted) users to each domain.

@Deskana: No, I only added them to the HTTPS versions of the domains listed, as I stated. (Except for those which no https listing existed and I used http, also noted in past comments.)

So we have 20 domains. Adding to http and https makes it 40 domains. Adding to the m version of both makes it 80 domains. Before we keep adding creep to this list, I'd like it to be more clearly stated on what they need (as adding users is extremely time consuming, as is removing them at the end of the period.)

So, which domains do they need mobile domain version of, and do they need both https and http, or only https where available? Also have they logged in and accessed what they have available, and is the restricted setting good enough? If I have to pull up all of these domains one by one to edit them, I prefer we reduce the number of times I/we/SRE/clinic duty has to do so.

RobH removed RobH as the assignee of this task.May 16 2018, 7:13 PM

@RobH I'm very sorry for the moving goalposts. This is completely my fault for not making the request clear enough.

Adding the mobile domains for only the English Wikipedia would be sufficient; with HTTP and HTTPS, that's only two additional domains, so shouldn't be too much work. They seem satisfied with everything else they've got, so this should hopefully be the last shift in the goal posts.

RobH closed this task as Resolved.May 16 2018, 9:48 PM
RobH claimed this task.

Ok, I've gone ahead and added admin2@gofishdigital to the domains of https://en.wikipedia.org (was added on last update before this), http://en.wikipedia.org, https://en.m.wikipedia.org, and http://en.m.wikipedia.org.

Re-resolving this task, since it seems fixed now!

Vvjjkkii renamed this task from Access to Google Search Console for Go Fish Digital to 6ceaaaaaaa.Jul 1 2018, 1:14 AM
Vvjjkkii reopened this task as Open.
Vvjjkkii removed RobH as the assignee of this task.
Vvjjkkii raised the priority of this task from Medium to High.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.
AfroThundr3007730 renamed this task from 6ceaaaaaaa to Access to Google Search Console for Go Fish Digital.Jul 1 2018, 6:50 AM
AfroThundr3007730 closed this task as Resolved.
AfroThundr3007730 assigned this task to RobH.
AfroThundr3007730 lowered the priority of this task from High to Medium.
AfroThundr3007730 updated the task description. (Show Details)
AfroThundr3007730 added a subscriber: Aklapper.
chasemp added a subscriber: chasemp.Jul 9 2018, 9:56 PM
RobH reopened this task as Open.Jul 30 2018, 8:30 PM
RobH reassigned this task from RobH to Deskana.

Ok, this is set to expire on 2018-08-01. By expire, I mean my google calendar reminds me to manually login and pull up these dozen domains (with most having https and http versions) and pulling this admin2@gofishdigital.com off of each of the domains.

@Deskana: Would you be able to provide feedback if this user needs to keep access for now? If they need to keep it past 2018-08-01, when should we set the next reminder for expiry check?

Ok, this is set to expire on 2018-08-01. By expire, I mean my google calendar reminds me to manually login and pull up these dozen domains (with most having https and http versions) and pulling this admin2@gofishdigital.com off of each of the domains.
@Deskana: Would you be able to provide feedback if this user needs to keep access for now? If they need to keep it past 2018-08-01, when should we set the next reminder for expiry check?

Their work is finished, so their access can be removed.

I've really appreciated your help throughout this process. Thanks!

herron reassigned this task from Deskana to RobH.Jul 31 2018, 3:06 PM
RobH added a comment.Jul 31 2018, 4:24 PM

Ok, parsing the above task and comments (which I reference below), we had a number of domains to remove them from. The comments below list them out, plus the addition of 'every' version of en.wikipedia.org in the console (http/https/m/non-m of each).

I've removed admin2@gofishdigital.com from each of the entries.

Since this is a third party contractor in the google search console, I wouldn't mind another SRE team member double-checking to ensure I didn't miss anything.

The email thread with legal seems to have reached a conclusion in support, so I'm now in the process of adding admin2@gofishdigital.com to the subdomains:

Okay, I think we've got what we need now! Here's the 20 wikis they need:

  • Wikipedias:
    • English
    • Spanish
    • German
    • Russian
    • Japanese
    • French
    • Italian
    • Portuguese
    • Polish
    • Chinese
  • English Wiktionary No HTTPS, added to HTTP entry.
  • English Wikiquote No HTTPS, added to HTTP entry.
  • English Wikibooks No HTTPS, added to HTTP entry.
  • English Wikisource
  • English Wikispecies
  • English Wikinews - No HTTPS, added to HTTP entry.
  • English Wikiversity - Doesn't have entry, not added.
  • English Wikivoyage
  • Wikimedia Commons
  • Wikidata

Unless otherwise noted in line, I've added admin2@gofishdigital.com as a restricted user to the HTTPS version of the domains listed above. I've also created a gcal entry on the SRE maint-announce calendar to email for 2018-08-01 to email to @Deskana, @faidon, @MoritzMuehlenhoff, and myself. At that time, we'll need to sync up and ensure someone removes access.
This should resolve this request. If anything isn't correct, please re-open!

@RobH I'm very sorry for the moving goalposts. This is completely my fault for not making the request clear enough.
Adding the mobile domains for only the English Wikipedia would be sufficient; with HTTP and HTTPS, that's only two additional domains, so shouldn't be too much work. They seem satisfied with everything else they've got, so this should hopefully be the last shift in the goal posts.

RobH removed RobH as the assignee of this task.Aug 1 2018, 3:05 PM
herron closed this task as Resolved.Aug 10 2018, 2:31 PM
herron claimed this task.
herron added a subscriber: herron.

! In T192893#4465797, @RobH wrote:
Since this is a third party contractor in the google search console, I wouldn't mind another SRE team member double-checking to ensure I didn't miss anything.

I've just gone through the list to double check and it looks good overall. There was only one entry that slipped through on en.wikivoyage and it has been removed.

  • English Wiktionary No HTTPS, added to HTTP entry.
  • English Wikiquote No HTTPS, added to HTTP entry.
  • English Wikibooks No HTTPS, added to HTTP entry.
  • English Wikinews - No HTTPS, added to HTTP entry.

I could not find the HTTP versions of these sites mentioned above in search console, presumably because they have been moved to https. I did double check the https site permissions and they look good.

For similar requests in the future I think we should consider creating a role account under WMF control in google apps to provision 3rd party access. This would allow us to revoke access with a single action.

I'll transition this to resolved now. Please re-open if any follow up is needed. Thanks!