-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
direct to confluence page for tdr-user-administrator.md
- Loading branch information
Showing
1 changed file
with
2 additions
and
167 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,170 +1,5 @@ | ||
| # TDR User Administrator Manual | ||
|
|
||
| ## Determining legitimate user requests | ||
| ### Content moved | ||
|
|
||
| ### Standard Users | ||
|
|
||
| All requests for a new TDR account should be referred to our Digital Transfer Advisors on [tdr@nationalarchives.gov.uk](mailto:tdr@nationalarchives.gov.uk) to validate the request before proceeding. | ||
|
|
||
| ### Judgment Users | ||
|
|
||
| As agreed with the Judicial Office, any TDR new account requests can be automatically added providing that their email domain ends in: | ||
|
|
||
| * @ejudiciary.net | ||
|
|
||
| * @justice.gov.uk | ||
|
|
||
| Any requests made from @supremecourt.uk should be checked with [paul.sandles@supremecourt.uk](mailto:paul.sandles@supremecourt.uk) | ||
|
|
||
| All other requests received should be validated by the Judgments Judicial Helpdesk on [judgmentshelpdesk@judiciary.uk](mailto:judgmentshelpdesk@judiciary.uk) | ||
|
|
||
| ## Role Description | ||
|
|
||
| TDR user administrators have rights and privileges to manage: | ||
|
|
||
| 1. Transferring body users of the TDR application | ||
| * Create | ||
| * Delete | ||
| * Edit | ||
| * Assign to transferring bodies | ||
| 2. Transferring body groups: | ||
| * Add | ||
| * Remove | ||
| * Edit | ||
|
|
||
| ## Sending Emails to Users | ||
|
|
||
| ### Integration / Staging Environments GOVUK Notify Setup | ||
|
|
||
| * To send an email to a user in the lower environments (Integration / Staging) the user should either have: | ||
| * a GOVUK Notify account set up for the environment (for **internal** TNA users only); or | ||
| * have their email address added to the GOVUK Notify API integration guest list | ||
|
|
||
| Note: this is required as GOVUK Notify is not set up as a "live" service for TDR's lower environments. | ||
|
|
||
| Ask a developer to set up GOVUK Notify. | ||
|
|
||
| ### Production | ||
|
|
||
| No additional set up is required for adding users to Production. | ||
|
|
||
| ## Setting Up As TDR User Administrator | ||
|
|
||
| 1. Contact TDR team to request set up as a TDR user administrator: tdr@nationalarchives.gov.uk | ||
| 2. You will receive an email from the TDR team with: | ||
| * your user name | ||
| * URL to the Keycloak application: https://auth.tdr.nationalarchives.gov.uk/admin/tdr/console | ||
| 3. A separate email will be sent with an URL link for you to set a password | ||
| 4. Ensure you have either Google Authenticator (https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_GB) or Microsoft Authenticator (https://www.microsoft.com/en-us/account/authenticator) available as you will need these to log on to the Keycloak application | ||
| 5. Log on to the Keycloak application for the first time: | ||
| * **Note**: accessing Keycloak can only be done on the TNA network, via Citrix or connecting to TNA using PulseSecure | ||
| * Go to the provided URL | ||
| * You will be prompted to set scan a QR code with an authenticator application to set up MFA for Keycloak | ||
|
|
||
| ## Managing Transferring Body Users | ||
|
|
||
| ### Adding a new transferring body | ||
|
|
||
| If a new user belongs to a new transferring body not already added to Keycloak, then: | ||
| 1. Go to the "Groups" page:  | ||
| 2. Click on the "tdr_transferring_body" group so that it is highlighted:  | ||
| 3. Click "new" | ||
| 4. The "Create Group" page will open:  | ||
| 5. Enter the name of the new transferring body | ||
| 6. Click "save":  | ||
| 7. On the new group's page go to the attributes tab | ||
| 8. Enter a new "body" attribute: | ||
| * In the "key" field enter: body | ||
| * In the "value" field enter the code of the transferring body | ||
| * This must match the `TdrCode` field added to the `Body` table in the database, so coordinate this change with the development team. It should begin with `TDR-`, e.g. `TDR-MOJ` or `TDR-WA`. We use the `TDR-` prefix to make it clear that the codes don't necessarily match departmental codes used in other catalogues. | ||
| 9. Click the "add" button under the "actions" column | ||
| 10. Then click "save":  | ||
| 11. Go back to the "Group" page and under the "transferring_body" group the new transferring body should be visible:  | ||
| 12. New users can now be assigned to that transferring body. See "Creating a new user" section | ||
|
|
||
| ### Creating a new user | ||
|
|
||
| If a new user needs to be added, then: | ||
| 1. Go to the "Users" page:  | ||
| 2. Click on "Add user" | ||
| 3. Fill in the relevant fields for the new user's details:  | ||
| * The following fields are required to be filled in for a valid user to be created: | ||
| * User Name (this should be the user's email address) | ||
| * First Name | ||
| * Last Name | ||
| 4. Click "save" | ||
| 5. Go to the "Groups" tab | ||
| 6. From the "Available Groups" box select the transferring body the new user belongs to:  | ||
| * If the transferring body does not appear go to the "Adding a new transferring body" section for details of how to add a new transferring body | ||
| 7. Add the new user to the relevant transferring body by clicking "Join" | ||
| 8. From the "Available Groups" box select "user type" for the user: | ||
| * *Judgment User*: | ||
| * **Note**: this group should only be applied to users who will be transferring judgments | ||
| * add the new user to the "user_type/judgment_user" group:  | ||
| * the user should show two groups in "Group Membership", "transferring body" and "user type":  | ||
| * *Standard User*: | ||
| * **Note**: this group should be applied to all users, other than those who will be transferring judgments | ||
| * add the new user to the "user_type/standard_user":  | ||
| * the user should show two groups in "Group Membership", "transferring body" and "user type":  | ||
| 9. Under the "Credentials" tab:  | ||
| 10. Request the user updates their password: | ||
| * Under the "Credentials Reset" section add the "Update Password (UPDATE_PASSWORD)" option | ||
| * If the user will be using an app for MFA, add the "Configure OTP (CONFIGURE_TOTP)" option to the "Reset Actions" | ||
| * If the user will be using a hardware USB token for MFA, add the "Webauthn Register (webauthn-register)" option to the "Reset Actions" | ||
| * Click the "Send Email" button. This will send an email to the user, with a URL link requesting they configure TOTP and set a password | ||
| * An email confirmation dialog box will appear if the email was sent successfully. | ||
| 11. Go back to the Users page | ||
| 12. Click "View all users" | ||
| 13. New user should appear in the list of all users:  | ||
|
|
||
| ### Resetting existing user's OTP | ||
|
|
||
| If an existing user's OTP needs resetting, then: | ||
| 1. Go to the "Users" page:  | ||
| 2. Search for the user using their email address:  | ||
| 3. Go to the user's details | ||
| 4. Under "Required User Actions" section add the "Configure OTP (CONFIGURE_TOTP)" option | ||
| 5. Go to the user's Credentials tab | ||
| 6. Select "Delete" next to their existing OTP entry to remove their current OTP credentials | ||
| 7. Inform the user to delete any previous OTP accounts in their authenticator app before they set up their new OTP | ||
| 8. When the user signs in with their existing email and password they will be prompted on screen to scan a new QR code to set up their OTP | ||
|
|
||
| ### Resetting existing user's password | ||
|
|
||
| If an existing user's password needs resetting, then: | ||
| 1. Go to the "Users" page:  | ||
| 2. Search for the user using their email address:  | ||
| 3. Go to the user's details | ||
| 4. Go to the user's Credentials tab | ||
| 5. Select "Delete" next to their existing password to remove their password credentials | ||
| 6. Under the "Credentials Reset" section add the "Update Password (UPDATE_PASSWORD)" option to the "Reset Actions":  | ||
| 7. Click the "Send Email" button. This will send an email to the user, with a URL link requesting they reset their password | ||
| 8. An email confirmation dialog box will appear if the email was sent successfully. | ||
|
|
||
| ### Disabled user account | ||
|
|
||
| A user's account maybe become disabled for several reasons: | ||
|
|
||
| * too many failed log in attempts | ||
| * manually disabled | ||
|
|
||
| A disabled user account will look like this:  | ||
|
|
||
| On the Details tab the `User Enabled` toggle will be set to `Off` | ||
|
|
||
| If a user's account is disabled it is not possible to send an email to the user. | ||
|
|
||
| #### Re-enable a user account | ||
|
|
||
| To re-enable the user's account, and allow the sending of email: | ||
| 1. Change the `User Enabled` toggle to `On`; and | ||
| 2. Click `Save` | ||
| 3. The user account should then look like this:  | ||
|
|
||
| ## Find a user on Keycloak with just the user ID | ||
|
|
||
| To locate a specific user when you only have their user ID code: | ||
| 1. Navigate to any user's details | ||
| 2. In the url, you'll see the users ID. Change that by overtyping the ID of the user you want to find. | ||
| 3. Refresh the page and it will take you to that user's full details. | ||
| The content of this page has been moved to [Confluence](https://national-archives.atlassian.net/wiki/spaces/DA/pages/840892445/TDR+User+Administrator+Manual). Any future updates should be made there. |