Hello - can we please get access for one of our new Directors, Deb Zierten, to the analytics system for WikimediaFoundation.org? Her Wikitech account is "Deb Zierten". Please let me know if you need anything else. Thank you!
Description
Description
Details
Details
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| admin: add dz1 to ldap_only_users | operations/puppet | production | +4 -0 |
Event Timeline
Comment Actions
Is their LDAP the same as our Google Accounts username? I was told previously it was associated with Wikitech, but perhaps I am remembering wrong or was told wrong. :)
Comment Actions
If it is their username, I suspect then that it is "Deb_Zierten" as they are User:Deb Zierten.
Comment Actions
Okay - so basically anyone that registers on Wikitech and knows the account password for our analytics instance can get access - you do not need to add any permissions?
Comment Actions
Okay - so basically anyone that registers on Wikitech and knows the account password for our analytics instance can get access
That's correct
Comment Actions
@Nuria - Deb does not seem to have access to the piwik login, after she enters her LDAP she gets an error that she does not have access to the site and does not get the second login prompt. Any ideas?
Comment Actions
mmm, I thought that piwik might not require an NDA on file but it might, @elukey is piwik access also restricted to NDA group?
Comment Actions
The user needs to be in either wmf or nda for access (see: https://wikitech.wikimedia.org/wiki/Analytics/Systems/Piwik)
Their LDAP account currently isn't in any if you have a look at https://tools.wmflabs.org/ldap/user/Deb_Zierten
Comment Actions
@Varnent Deb needs to sign an nda (she might have done it de-facto on her onboarding), someone will verify is been so and she can be added to the group that has access to this data, sorry my first message on this regard was incorrect.
Comment Actions
@Nuria - the NDA was a part of her onboarding - so she should be all set. :)
No worries - thank you!! :)
Comment Actions
I think someone (that can do so ) needs to verify nda on file + employment and then access can be granted
Comment Actions
I wasn't able to find an ldap account with shell username Deb_Zierten, but I do see shell username dz1 associated with Deb's wikitech account and wmf email address.
https://tools.wmflabs.org/ldap/user/dz1
I've added the dz1 account to the NDA group, and will set this to resolved as a soft close. If any follow up is needed please don't hesitate to re-open. Thanks!
Comment Actions
@herron: If you add an account to a PII-relevant LDAP group which does not have shell access to the production cluster, it needs to be added to modules/admin/data/data.yaml
Comment Actions
Change 525294 had a related patch set uploaded (by Herron; owner: Herron):
[operations/puppet@production] admin: add dz1 to ldap_only_users
Comment Actions
Change 525294 merged by Herron:
[operations/puppet@production] admin: add dz1 to ldap_only_users
Comment Actions
I don't actually see the paper work for WMF full time req # employees, so I think having the manager or C-level approve here would be the best practice. Thanks!
Comment Actions
It doesn't seem like you need it, but this is approved. Let me know if you need something else.
Comment Actions
@herron : You've added her to the wrong group, staff members need to be a member of cn=wmf, cn=nda is for people who have access to PII-relevant data, but are not staff members of the Foundation (i.e. community members or staff of Wikimedia Deutschland).