Skip to content
This repository has been archived by the owner on Jan 23, 2024. It is now read-only.

Django Admin (managing users, using Clips)

Jump to bottom
Christa Hartsock edited this page May 12, 2020 · 2 revisions

User Accounts in the Clear My Record app

Accessing the admin functionality within the Clear My Record App requires a user account with the necessary privileges. is_staff, is_superuser and permission groups are used to manage privileges.

Inviting New Users

New users can be invited at /invitations/send-invite. When logged in as a staff user, a link to invite new users can be found at /accounts/profile/. Users must be linked to the correct organization and added to groups that correspond to their expected permissions.

When users access email invitation links, they encounter a sign-up form that fills in details for their profile.

If a user needs to added to staff or designated as a superuser, those changes need to be made by clicking the "staff" and "superuser" checkboxes in the Django admin site (under /admin/auth/user/) after they have activated their account.

Permission Groups

  • application_reviewers. application_reviewers are users who need to access and review applications. All org users are application_reviewers.
  • performance_monitors. This is a now-deprecated group that was used for giving access to private aggregate statistics without giving access to review applications.
  • followup_staff. These are users who directly communicate with applicants and need to review the status of their cases with each assisting county partner. The handle replies to automated followups with applicants. They are able to add notes and tags to form submissions. This group generally includes cfa staff who are allowed to engage in appicant support.
  • clips_users. These are users who are allowed to run SQL queries on a copy of the database that has been cleared of personally identifiable information. All CfA staff with user accounts are generally clips users. See below for more information about the clips app.

Using the Django Admin

Django has a built in admin site that is accessible by any user with is_staff = True. You can access the site at /admin/ using your login credentials.

Accessing the admin site is necessary for marking new users as staff or superuser, or for changing their groups or permissions.

Making a User Inactive

When we need to "delete" a user, whether a legal aid partner or CFA staff, mark them as inactive in the Django console. Do not delete them.

To mark them inactive:

  1. Log into Django admin (see Using the Django Admin
  2. Find the user's profile on the User administration page, and click to view
  3. Uncheck the 'active' box and click 'Save'

The user will lose the ability to log in and will no longer receive notifications.

Using clips

At /clips/ there is a minimal app for running custom queries on a copy of the database purged of sensitive info, intended to mimic the functionality of Heroku's Dataclips feature. Users must be in the clips_users group to access the page, and there are currently no links to the URL. The URL must be accessed directly.

3rd Party services

LastPass

Code for America uses LastPass to manage authentication information, and we store a number of shared logins in shared folders in LastPass.

  • Shared-ClearMyRecord: used for anyone on the clear my record team. This includes logins to demo and stage environments, the email testing account, and more
  • Shared-ClearMyRecordApplicantSupport: used for any shared logins that are specific to applicant support, such as the main gmail account. This should only be shared with people who need access to applicant's personal information.
  • Shared-ClearMyRecordGrowthCampaigns: used for shared accounts that pertain to growth campains, such as MailChimp
  • Shared-CfA Staff: used for shared logins used across the organization.

Front

Front is used for general correspondence & customer support, as well as handling applicant replies to SMS status updates and followup messages. No one needs access to Front unless they are engaging in direct communications with applicants. Front charges us based on the number of accounts, so we should limit to only those necessary. Front has limited auditing and account access controls, and an incomplete security policy. They Annie Lo (applicant support contractor) is the primary user of Front. Current administrators include:

  • Ben Golder
  • Jazmyn
  • Jenny MT
  • Tiffany Andrews
  • Laura Kogler

Gmail

We have two email accounts on Gmail:

  • [email protected], used as a central point of contact for communicating with both applicants and county partners. This email is managed by Front, but you can login to the account using the password stored in LastPass. This account is managed by the admins of Code for America's Google Org account
  • [email protected], used for testing email functionality. This email is used for all fake seed data applicants and fake county partner accounts. The login information is stored in LastPass.

Mailing Lists

We have two mailing lists setup using Code for America's Google Org account.

  • [email protected], used for sending important alerts about bugs, errors, performance issues, or anything else.
  • [email protected], used as a point of contact for partnerships communications.

Twilio

Twilio is connected to the Front account for sending and receiving SMS messages. We also have a small app phone, which integrates with Twilio to handle incoming Voicemails to our main phone number. Twilio is administered by logging in with a CfA-wide account (kept in LastPass) and then accessing the Clear My Record or Clear My Record (Testing) subaccounts.

Mailgun

Mailgun is used for relaying email replies to status updates and for validating emails. Mailgun is administered with individual accounts (Ben, Mikela, Laura) and recently invited [email protected] in order to switch billing.

Slack

Slack is used for posting specific types of alerts. Slack is administered by CfA and each slack account can administer notifications.

Mixpanel

Mixpanel is used to track usage and analytics. It does not contain PII. It is owned by Lou. Anyone on the Clear My Record team, including contractors, should be able to access it.

Google Analytics

Google Analytics is used to track acquisition and general analytics. It does not contain PII. Anyone on the Clear My Record team, including contractors, should be able to access it. It is administered by Laura, Mikela, Lou, Tiffany, Jenny, and Ben.

GeckoBoard

GeckoBoard is managed by Code For America (not CMR-specific). Various people have been added individually. It does not contain PII.

Optimizely

Optimizely has never been used, but an account was created in anticipation of use. It is owned by Tiffany.

Github

Github is used for storing our application code and tracking issues. There is a Clear My Record Github Team, that includes everyone actively involved in Clear My Record. Mikela, Laura, and Ben are the maintainers of the team.

Travis

Travis CI is managed through our Github accounts, and thus matches the same permissions and settings as the github repo.

Code Climate

Code Climate is managed through our Github accounts, and thus matches the same permissions and settings as the github repo.

Requires.io

Requires.io is managed through our Github accounts, and thus matches the same permissions and settings as the github repo.

AWS

AWS access is setup using IAM. There are two major levels of access: infra and developer-specific, each corresponding to an IAM group with a set of permissions. infra users have full administrative permissions. developer-specific users can read and write specific resources. Mikela, John, and Laura all have user accounts assigned to the infra group while Ben is assigned to the developer-specific group.

Clone this wiki locally