From aeb6eb6e8d134423c95925f27ce49dc04007fe75 Mon Sep 17 00:00:00 2001 From: Lawrence Forooghian Date: Thu, 2 Apr 2020 17:47:42 +0100 Subject: [PATCH] Add instructions for onboarding a support developer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I have not yet tested this end to end with a developer, so it might need more tweaks. DfE’s 2FA rules might change in the future – see this DfE Digital Slack thread [1] to continue the initial conversation. [1] https://ukgovernmentdfe.slack.com/archives/CMS9V0JQL/p1586167807393400 --- docs/developer-onboarding.md | 82 +++++++++++++++++++ docs/first-line-support-developer-runbook.md | 3 + ...privileged-identity-management-requests.md | 19 +++-- 3 files changed, 99 insertions(+), 5 deletions(-) diff --git a/docs/developer-onboarding.md b/docs/developer-onboarding.md index a9d842eec3..38aff90357 100644 --- a/docs/developer-onboarding.md +++ b/docs/developer-onboarding.md @@ -3,6 +3,79 @@ The audience for this document is a developer who is being onboarded onto the project, either for the service team or first-line support. +## First-line support onboarding + +1. Product owner in DfE follows the + [first-line support developer onboarding steps in Confluence](https://dfedigital.atlassian.net/wiki/spaces/TP/pages/1490452481/Onboarding+a+first-line+support+developer). +2. The new developer follows the + [self-service onboarding instructions](#self-service-onboarding-for-first-line-support). + +### Self-service onboarding for first-line support + +Before you start, you will need: + +- an `@digital.education.gov.uk` email address +- an invitation to the DfE Platform Identity organisation in Azure Active + Directory – this should be in your DfE email inbox, once you follow the first + steps below to log in + +Then, follow these steps to complete your onboarding: + +1. Log in to your DfE email. +2. If Google asks you to set up two-factor authentication, see + [this advice](#how-to-set-up-two-factor-auth-for-your-digitaleducationgovuk-google-account). +3. Follow the link in the Azure invitation email and create an account. +4. Click on + [this link](https://portal.azure.com/?Microsoft_Azure_PIMCommon=true#blade/Microsoft_AAD_IAM/GroupDetailsMenuBlade/Owners/groupId/6642920a-1aab-49bb-9a20-365131195349) + – we’ll use this to confirm you’re using the correct directory in Azure. +5. If you see an error about “the group could not be found”, then click on your + email address in the top right, choose “Switch directory”, and switch to “DfE + Platform Identity”. +6. If Azure asks you to set up two-factor authentication, see + [this advice](#how-to-set-up-azure-two-factor-auth-without-giving-a-phone-number-or-downloading-a-special-app). +7. Ask one of the + [owners](https://portal.azure.com/?Microsoft_Azure_PIMCommon=true#blade/Microsoft_AAD_IAM/GroupDetailsMenuBlade/Owners/groupId/6642920a-1aab-49bb-9a20-365131195349) + of the “s118-teacherpaymentservice-Delivery Team USR” Active Directory group + to follow + [these instructions](#how-to-add-a-member-to-the-delivery-team-in-azure) to + add you as a member. +8. Sign up for [DfE Digital’s Confluence wiki](https://dfedigital.atlassian.net) + using your DfE email address. +9. Follow these steps from the + [onboarding page in Confluence](https://dfedigital.atlassian.net/wiki/spaces/TP): + - Slack + - GitHub + - logit.io – the Viewers team is sufficient for support needs + - Rollbar + +## How to set up two-factor auth for your `@digital.education.gov.uk` Google account + +At the time of writing (2020-04-06), new DfE Google users must set up two-factor +authentication (2FA) within 24 hours of first login. + +When setting up 2FA for the first time, the only authentication methods which +DfE’s configuration allows are: + +- phone call or SMS +- installing the Google app on a smartphone – not to be confused with Google + Authenticator / TOTP +- a physical security key – FIDO U2F standard + +If you do not want to give Google your phone number or do not have a physical +security key, you can +[use your Android phone as a security key](https://support.google.com/accounts/answer/9289445), +or use the Google Smart Lock iOS app as a security key. + +If you do not want to use your phone at all, you can use a software tool which +fakes a physical security key. One example is +[SoftU2F](https://github.com/github/SoftU2F). I’ve tried using this, and it +works. + +After setting up 2FA for the first time, you can visit +https://accounts.google.com and add additional authentication methods such as +Google Authenticator, which lets you use a generic TOTP authentication app like +1Password. You can then remove the initial authentication method. + ## How to set up Azure two-factor auth without giving a phone number or downloading a special app The first time you try to use DfE’s Cloud Infrastructure Platform – for example @@ -31,3 +104,12 @@ change. After displaying a validation error on the phone number field, it will still proceed. Two-factor auth is now set up. + +## How to add a member to the delivery team group in Azure + +1. Go to + https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview. +2. Confirm that it says “DfE Platform Identity” – if not, use the “switch + directory” button. +3. In Groups, search for “s118-teacherpaymentservice-Delivery Team USR”. +4. Add the new person. diff --git a/docs/first-line-support-developer-runbook.md b/docs/first-line-support-developer-runbook.md index ab13616d68..8a97fa7c8c 100644 --- a/docs/first-line-support-developer-runbook.md +++ b/docs/first-line-support-developer-runbook.md @@ -13,6 +13,9 @@ tasks that you might get asked to do. ## Support tasks +If you want to do one of these tasks and you don’t have what you need, see the +[first-line support onboarding list](developer-onboarding.md#first-line-support-onboarding). + ### I want to make a bug fix and deploy it #### You will need diff --git a/docs/privileged-identity-management-requests.md b/docs/privileged-identity-management-requests.md index f07ebda29e..87a8232654 100644 --- a/docs/privileged-identity-management-requests.md +++ b/docs/privileged-identity-management-requests.md @@ -10,10 +10,19 @@ To make a PIM request: [this page](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/ActivationMenuBlade/azurerbac). 2. Activate the ‘Contributor’ role for the environment you want to access. 3. Give a reason for your request and submit. -4. The request must now be approved. +4. The request must now be approved: - For the `production` environment, you will have to wait until this has been - approved by another team member. Anyone who can approve the request should - have received an email to their `@digital.education.gov.uk` address. If - not, they can view all pending requests - [here](https://portal.azure.com/?Microsoft_Azure_PIMCommon=true#blade/Microsoft_Azure_PIMCommon/ApproveRequestMenuBlade/azurerbac). + [approved by another team member](#approving-a-pim-request). - For `test`, the request is automatically approved. + +## Approving a PIM request + +Only +[members](https://portal.azure.com/#blade/Microsoft_AAD_IAM/GroupDetailsMenuBlade/Members/groupId/407a4183-b6a3-4186-a766-9d342935127e) +of the “s118-teacherpaymentservice-Managers USR” Active Directory group can +approve a PIM request. + +When somebody makes a PIM request, anyone who can approve it should receive an +email to their `@digital.education.gov.uk` address. If not, they can view all +pending requests +[here](https://portal.azure.com/?Microsoft_Azure_PIMCommon=true#blade/Microsoft_Azure_PIMCommon/ApproveRequestMenuBlade/azurerbac).