As tech lead, I need a new permissions group for ACF OCIO

[ADPennington]

Description:
As we are now storing our ZAP scans, we need to give OCIO read access to them. The simplest way to do so is to create a new group with access only to our ZAP and ClamAV logs and objects.

Acceptance Criteria:

• New ACF OCIO group is created in our database by default
• New group does not have STTs nor Regions associated to it
• ACF OCIO group should have read-only access to DAC security scans (e.g. OWASP scans, ClamAV scans)
• ACF OCIO group should not have access to view other areas of DAC nor the Frontend where feasible
• Testing Checklist has been run and all tests pass
• README is updated, if necessary

Tasks:

• Migration for creation of this new group by default
• Exhaustive listing of relevant permissions for accessing backend security forms and objects
• Relevant user instantiation excludes STTs and Regions
• Document group permissions matrix in this Readme
• User-facing documentation for how ACF OCIO staff can login to DAC/Security and access objects (scan pdfs, ClamAV log entries)
• Run Testing Checklist and confirm all tests pass

Notes:

Supporting Documentation:

• Current permissions matrix

Open Questions:

• Can these users be easily redirected straight to the backend after authentication?

[valcollignon]

• apply dev template
• link README
• create tasks

Bring up during dev sync.
CC: @ADPennington @abottoms-coder

[ADPennington]

• apply dev template
• link README
• create tasks

Bring up during dev sync. CC: @ADPennington @abottoms-coder

per dev sync, we decided that dev team will take this ticket and scope out tasks given the abovementioned ACs. @valcollignon

[valcollignon]

@ADPennington are you taking the ticket for this current sprint? Or scoping out tasks for a future sprint?

[ADPennington]

@ADPennington are you taking the ticket for this current sprint? Or scoping out tasks for a future sprint?

@valcollignon -- dev is taking this ticket to scope the tasks. if the tasks are scoped in time for next week's backlog, we can discuss where it would go in our workflow. cc: @abottoms-coder

[andrew-jameson]

@ADPennington Do we agree this ticket is blocked by #1170 ?

[ADPennington]

@ADPennington Do we agree this ticket is blocked by #1170 ?

@abottoms-coder agree. let's discuss the AC re: this group's access to frontend where feasible. they need it for logging into TDP. and they'd also need a way to get to the backend scans from there. I'd like to better understand what that flow will look like 😃

[valcollignon]

This issue has been refined from the dev standpoint.

[jorgegonzalez]

ACF OCIO users should be enforced to utilize PIV card via new AMS integration

Question about this AC, will ACF OCIO all have @acf.hhs.gov email addresses? In which case this AC may already be satisfied @ADPennington @abottoms-coder

[andrew-jameson]

ACF OCIO users should be enforced to utilize PIV card via new AMS integration

Question about this AC, will ACF OCIO all have @acf.hhs.gov email addresses? In which case this AC may already be satisfied @ADPennington @abottoms-coder

I would expect this assumption is valid and this AC is satisfied.

[jorgegonzalez]

Can that AC be removed from this ticket then, if we agree it is satisfied?

[andrew-jameson]

Can that AC be removed from this ticket then, if we agree it is satisfied?

@ADPennington Are you ok with this?

[ADPennington]

removed @jorgegonzalez @abottoms-coder

[jorgegonzalez]

Just saw this

Can these users be easily redirected straight to the backend after authentication?

If so, do we intend for users in this group to never see the frontend? Redirecting them straight to Django Admin reduces the added complexity of validating this on the frontend. So if that is the desired behavior, I'm updating the PR to support this shortly @ADPennington @abottoms-coder

[ADPennington]

@jorgegonzalez -- @lfrohlich and I just discussed and can confirm that this permission group can be redirected back to security url in DAC. they dont need to do anything on the frontend. maybe access to the profile page, but only if its easy. cc: @abottoms-coder

[reitermb]

Demoed by @jorgegonzalez on 3/15/2022