This is a new access request for iackerman. They require the following access: (Mark the box for each requirement with an x)
- civicrm web access
- standard access
- donor services access
- view only access
- ssh access - if specific hosts: frdev1002 fran1001 fran2001
- mysql - if specific hosts or databases: read only access to civi and superset dbs
- superset
- other: please explain
Parent task: T356110
New User Procedure / Checklist
When adding a new user to the fundraising / fr-tech ecosystem, we have a set of places where we need to create accounts and access.
Prerequisites
Before we can take any action to add a user, we need to verify that they are authorized to have such access. This requires confirmation from their manager and approval from the C level that access is approved.
[x] user_verification
Requires: user request [x] access_rights: letter to C level (currently Lisa) verifying grant of access [x] account name/contact info: verify on https://collab.wikimedia.org/wiki/Fundraising#Contact_List [ ] (if not advancement) add to okta notify list: create ITS ticket for adding to fr-tech okta notification list
Accounts and Services
[x] client_ssl_cert
Requires: user_verification [x] cert_setup: generate cert on frpm1001 using ssl_user_admin [x] account_setup: sms the user the password for the key [x] follow_on: assist with certificate installation
[x] civicrm
Requires: client_ssl_cert [x] account_setup: Create user account. This will notify the user via email to update their password. [x] follow_on: Verify user can log in to https://civicrm.wikimedia.org
[x] superset
Requires: client_ssl_cert [x] account_setup: Create user account. Notify the user of their account name and password. [x] follow_on: Verify user can log in to https://analytics.frdev.wikimedia.org [-] archive_access: Add to google drive archive group. https://drive.google.com/drive/folders/0ADWGPlZtksGdUk9PVA
[x] user account
Requires: user_verification [x] Add the user to the users.yaml and group_members.yaml files as appropriate. [x] Push out puppet changes.
x] yubikey
Requires: useraccount and ITS request to send out yubikey to user [-] physical: Make a request to ITS to have a key sent to the user [x] account_setup: Get public side and add to puppet-private/manifests/passwords/yubico.pp [x] follow_on: Make sure user can use yubikey for ssh access
[x] ssh
Requires: useraccount and yubikey [x] key_setup: Send template/docs for generating keypair and ~/.ssh/config file [x] account_setup: Get public side and add to puppet-private/secrets/ssh/default/$username [x] follow_on: Verify user can ssh using correct creds and passphrases when needed.
[x] mysql
Requires: useraccount, yubikey, ssh [x] account_setup [x] Create user block in ~/puppet-private/secrets/mysql_grants/fundraising_qa [x] Ensure user is in correct blocks for select rights on dbs. - Generally use another user in same group as a guide [x] Run the grant script to get the grants. [x] Copy/paste to execute the grants on appropriate dbs. [x] Create the user a ~/.my.cnf file with the original password from account creation. [x] follow_on: Verify user can ssh to the required host and log in to mysql.