Add instructions for onboarding a support developer

I have not yet tested this end to end with a developer, so it might need more tweaks. DfE’s 2FA rules might change in the future – see this DfE Digital Slack thread [1] to continue the initial conversation. [1] https://ukgovernmentdfe.slack.com/archives/CMS9V0JQL/p1586167807393400
DFE-Digital · Apr 6, 2020 · aeb6eb6 · aeb6eb6
1 parent 8461513
commit aeb6eb6
Show file tree

Hide file tree

Showing 3 changed files with 99 additions and 5 deletions.
diff --git a/docs/developer-onboarding.md b/docs/developer-onboarding.md
@@ -3,6 +3,79 @@
 The audience for this document is a developer who is being onboarded onto the
 project, either for the service team or first-line support.
 
+## First-line support onboarding
+
+1. Product owner in DfE follows the
+   [first-line support developer onboarding steps in Confluence](https://dfedigital.atlassian.net/wiki/spaces/TP/pages/1490452481/Onboarding+a+first-line+support+developer).
+2. The new developer follows the
+   [self-service onboarding instructions](#self-service-onboarding-for-first-line-support).
+
+### Self-service onboarding for first-line support
+
+Before you start, you will need:
+
+- an `@digital.education.gov.uk` email address
+- an invitation to the DfE Platform Identity organisation in Azure Active
+  Directory – this should be in your DfE email inbox, once you follow the first
+  steps below to log in
+
+Then, follow these steps to complete your onboarding:
+
+1. Log in to your DfE email.
+2. If Google asks you to set up two-factor authentication, see
+   [this advice](#how-to-set-up-two-factor-auth-for-your-digitaleducationgovuk-google-account).
+3. Follow the link in the Azure invitation email and create an account.
+4. Click on
+   [this link](https://portal.azure.com/?Microsoft_Azure_PIMCommon=true#blade/Microsoft_AAD_IAM/GroupDetailsMenuBlade/Owners/groupId/6642920a-1aab-49bb-9a20-365131195349)
+   – we’ll use this to confirm you’re using the correct directory in Azure.
+5. If you see an error about “the group could not be found”, then click on your
+   email address in the top right, choose “Switch directory”, and switch to “DfE
+   Platform Identity”.
+6. If Azure asks you to set up two-factor authentication, see
+   [this advice](#how-to-set-up-azure-two-factor-auth-without-giving-a-phone-number-or-downloading-a-special-app).
+7. Ask one of the
+   [owners](https://portal.azure.com/?Microsoft_Azure_PIMCommon=true#blade/Microsoft_AAD_IAM/GroupDetailsMenuBlade/Owners/groupId/6642920a-1aab-49bb-9a20-365131195349)
+   of the “s118-teacherpaymentservice-Delivery Team USR” Active Directory group
+   to follow
+   [these instructions](#how-to-add-a-member-to-the-delivery-team-in-azure) to
+   add you as a member.
+8. Sign up for [DfE Digital’s Confluence wiki](https://dfedigital.atlassian.net)
+   using your DfE email address.
+9. Follow these steps from the
+   [onboarding page in Confluence](https://dfedigital.atlassian.net/wiki/spaces/TP):
+   - Slack
+   - GitHub
+   - logit.io – the Viewers team is sufficient for support needs
+   - Rollbar
+
+## How to set up two-factor auth for your `@digital.education.gov.uk` Google account
+
+At the time of writing (2020-04-06), new DfE Google users must set up two-factor
+authentication (2FA) within 24 hours of first login.
+
+When setting up 2FA for the first time, the only authentication methods which
+DfE’s configuration allows are:
+
+- phone call or SMS
+- installing the Google app on a smartphone – not to be confused with Google
+  Authenticator / TOTP
+- a physical security key – FIDO U2F standard
+
+If you do not want to give Google your phone number or do not have a physical
+security key, you can
+[use your Android phone as a security key](https://support.google.com/accounts/answer/9289445),
+or use the Google Smart Lock iOS app as a security key.
+
+If you do not want to use your phone at all, you can use a software tool which
+fakes a physical security key. One example is
+[SoftU2F](https://github.com/github/SoftU2F). I’ve tried using this, and it
+works.
+
+After setting up 2FA for the first time, you can visit
+https://accounts.google.com and add additional authentication methods such as
+Google Authenticator, which lets you use a generic TOTP authentication app like
+1Password. You can then remove the initial authentication method.
+
 ## How to set up Azure two-factor auth without giving a phone number or downloading a special app
 
 The first time you try to use DfE’s Cloud Infrastructure Platform – for example
@@ -31,3 +104,12 @@ change.
 
 After displaying a validation error on the phone number field, it will still
 proceed. Two-factor auth is now set up.
+
+## How to add a member to the delivery team group in Azure
+
+1. Go to
+   https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.
+2. Confirm that it says “DfE Platform Identity” – if not, use the “switch
+   directory” button.
+3. In Groups, search for “s118-teacherpaymentservice-Delivery Team USR”.
+4. Add the new person.
diff --git a/docs/first-line-support-developer-runbook.md b/docs/first-line-support-developer-runbook.md
@@ -13,6 +13,9 @@ tasks that you might get asked to do.
 
 ## Support tasks
 
+If you want to do one of these tasks and you don’t have what you need, see the
+[first-line support onboarding list](developer-onboarding.md#first-line-support-onboarding).
+
 ### I want to make a bug fix and deploy it
 
 #### You will need

diff --git a/docs/privileged-identity-management-requests.md b/docs/privileged-identity-management-requests.md
@@ -10,10 +10,19 @@ To make a PIM request:
    [this page](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/ActivationMenuBlade/azurerbac).
 2. Activate the ‘Contributor’ role for the environment you want to access.
 3. Give a reason for your request and submit.
-4. The request must now be approved.
+4. The request must now be approved:
    - For the `production` environment, you will have to wait until this has been
-     approved by another team member. Anyone who can approve the request should
-     have received an email to their `@digital.education.gov.uk` address. If
-     not, they can view all pending requests
-     [here](https://portal.azure.com/?Microsoft_Azure_PIMCommon=true#blade/Microsoft_Azure_PIMCommon/ApproveRequestMenuBlade/azurerbac).
+     [approved by another team member](#approving-a-pim-request).
    - For `test`, the request is automatically approved.
+
+## Approving a PIM request
+
+Only
+[members](https://portal.azure.com/#blade/Microsoft_AAD_IAM/GroupDetailsMenuBlade/Members/groupId/407a4183-b6a3-4186-a766-9d342935127e)
+of the “s118-teacherpaymentservice-Managers USR” Active Directory group can
+approve a PIM request.
+
+When somebody makes a PIM request, anyone who can approve it should receive an
+email to their `@digital.education.gov.uk` address. If not, they can view all
+pending requests
+[here](https://portal.azure.com/?Microsoft_Azure_PIMCommon=true#blade/Microsoft_Azure_PIMCommon/ApproveRequestMenuBlade/azurerbac).