Skip to content

Access Control & Account Management SOP

Jump to bottom
Ryan Ahearn edited this page May 26, 2021 · 5 revisions

Access Control Policies

Shared/Group Accounts & Credential Sharing

Shared accounts and credential sharing are strictly prohibited.

Account Management Processes

Account manager selection and approval

  1. TTA Smart Hub Product Owner and TTA Smart Hub Government Technical Monitor will initially fulfill the role of account managers.
  2. Account manager duties may be delegated to each Region via the TTA Coordinator and/or Regional TTA contract CORs.

Note: If the system ever needs to be recreated from scratch, the first admin account to be created is controlled by this bootstrap script. A new PR should be opened to update the ADMIN_USERNAME if it is ever needed again.

Account request, approval, and creation

account creation workflow diagram

  1. User account must first be created in Head Start Enterprise System (HSES)
  2. User logs into TTA Smart Hub via HSES to automatically submit a request for TTA Smart Hub access
  3. A User Profile with no access permissions is automatically created the first time a user logs in via HSES. The user will not be able to view anything until permissions are assigned to their User Profile.
  4. Users will submit a Smartsheet form to request access permissions being added to their account. TTA Smart Hub Account Managers will review these requests, compare these users to Regional Staffing Rosters, and assign TTA Smart Hub role-based access permissions as appropriate to their jobs as defined in the Staffing Rosters.

permissions setting workflow diagram

Account review (frequency and process)

account disablement workflow diagram

  1. PO or GTM will review accounts with permissions on a monthly basis.
  2. Users who have been removed from Staffing Rosters will have access permissions revoked.

Account disablement, triggers, and process

  1. HSES account disablement automatically cascades to TTA Smart Hub, because a user that cannot log into HSES also cannot use HSES to log into TTA Smart Hub.
  2. TTA Smart Hub Account Managers will review accounts every 60 days and disable access permission by removing the SITE_ACCESS permission for accounts that have not been active in that time.
  3. Users who have not logged in in the past 60 days will appear in the Show users to lock admin filter.

Account termination, triggers and process

  1. HSES account termination automatically cascades to TTA Smart Hub, because a user that cannot log into HSES also cannot use HSES to log into TTA Smart Hub.
  2. TTA Smart Hub Account Managers will review accounts every 180 days and revoke all permissions from accounts that have not been active in that time.
  3. Users who have not logged in in the past 180 days will appear in the Show users to disable admin filter.

Cloud.gov Access

Any vendor developer who has passed their security clearance can be granted "Developer" access to any space. Access to the ttahub-prod space should still be limited to those users who should be able to access Production under the limited circumstances laid out in the Production Data Access policy. Instead, those developers should be granted "Auditor" access to enable them to access the Kibana logs at https://logs.fr.cloud.gov/

Office of Head Start TTA Hub

System Operations

Project Charter

Research Plan and Log of Activities

TTA Hub Feedback Table

Product Roadmap

The User Base

Current Capabilities

Authority to Operate (ATO) Requirements

Training Plan and Guide

Glossary of Head Start Terms

Glossary of Agile Terms

Clone this wiki locally