Skip to content

Latest commit

 

History

History
170 lines (130 loc) · 9.48 KB

tdr-user-administrator.md

File metadata and controls

170 lines (130 loc) · 9.48 KB
Raw

TDR User Administrator Manual

Determining legitimate user requests

Standard Users

All requests for a new TDR account should be referred to our Digital Transfer Advisors on tdr@nationalarchives.gov.uk to validate the request before proceeding.

Judgment Users

As agreed with the Judicial Office, any TDR new account requests can be automatically added providing that their email domain ends in:

  • @ejudiciary.net

  • @justice.gov.uk

Any requests made from @supremecourt.uk should be checked with paul.sandles@supremecourt.uk

All other requests received should be validated by the Judgments Judicial Helpdesk on judgmentshelpdesk@judiciary.uk

Role Description

TDR user administrators have rights and privileges to manage:

  1. Transferring body users of the TDR application
  • Create
  • Delete
  • Edit
  • Assign to transferring bodies
  1. Transferring body groups:
  • Add
  • Remove
  • Edit

Sending Emails to Users

Integration / Staging Environments GOVUK Notify Setup

  • To send an email to a user in the lower environments (Integration / Staging) the user should either have:
    • a GOVUK Notify account set up for the environment (for internal TNA users only); or
    • have their email address added to the GOVUK Notify API integration guest list

Note: this is required as GOVUK Notify is not set up as a "live" service for TDR's lower environments.

Ask a developer to set up GOVUK Notify.

Production

No additional set up is required for adding users to Production.

Setting Up As TDR User Administrator

  1. Contact TDR team to request set up as a TDR user administrator: tdr@nationalarchives.gov.uk
  2. You will receive an email from the TDR team with:
  1. A separate email will be sent with an URL link for you to set a password
  2. Ensure you have either Google Authenticator (https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_GB) or Microsoft Authenticator (https://www.microsoft.com/en-us/account/authenticator) available as you will need these to log on to the Keycloak application
  3. Log on to the Keycloak application for the first time:
  • Note: accessing Keycloak can only be done on the TNA network, via Citrix or connecting to TNA using PulseSecure
  • Go to the provided URL
  • You will be prompted to set scan a QR code with an authenticator application to set up MFA for Keycloak

Managing Transferring Body Users

Adding a new transferring body

If a new user belongs to a new transferring body not already added to Keycloak, then:

  1. Go to the "Groups" page:
  2. Click on the "tdr_transferring_body" group so that it is highlighted:
  3. Click "new"
  4. The "Create Group" page will open:
  5. Enter the name of the new transferring body
  6. Click "save":
  7. On the new group's page go to the attributes tab
  8. Enter a new "body" attribute:
  • In the "key" field enter: body
  • In the "value" field enter the code of the transferring body
    • This must match the TdrCode field added to the Body table in the database, so coordinate this change with the development team. It should begin with TDR-, e.g. TDR-MOJ or TDR-WA. We use the TDR- prefix to make it clear that the codes don't necessarily match departmental codes used in other catalogues.
  1. Click the "add" button under the "actions" column
  2. Then click "save":
  3. Go back to the "Group" page and under the "transferring_body" group the new transferring body should be visible:
  4. New users can now be assigned to that transferring body. See "Creating a new user" section

Creating a new user

If a new user needs to be added, then:

  1. Go to the "Users" page:
  2. Click on "Add user"
  3. Fill in the relevant fields for the new user's details:
  • The following fields are required to be filled in for a valid user to be created:
    • User Name (this should be the user's email address)
    • First Name
    • Last Name
    • Email
  1. Click "save"
  2. Go to the "Groups" tab
  3. From the "Available Groups" box select the transferring body the new user belongs to:
  • If the transferring body does not appear go to the "Adding a new transferring body" section for details of how to add a new transferring body
  1. Add the new user to the relevant transferring body by clicking "Join"
  2. From the "Available Groups" box select "user type" for the user:
  • Judgment User:
    • Note: this group should only be applied to users who will be transferring judgments
    • add the new user to the "user_type/judgment_user" group:
    • the user should show two groups in "Group Membership", "transferring body" and "user type":
  • Standard User:
    • Note: this group should be applied to all users, other than those who will be transferring judgments
    • add the new user to the "user_type/standard_user":
    • the user should show two groups in "Group Membership", "transferring body" and "user type":
  1. Under the "Credentials" tab:
  2. Request the user updates their password:
  • Under the "Credentials Reset" section add the "Update Password (UPDATE_PASSWORD)" option
  • If the user will be using an app for MFA, add the "Configure OTP (CONFIGURE_TOTP)" option to the "Reset Actions"
  • If the user will be using a hardware USB token for MFA, add the "Webauthn Register (webauthn-register)" option to the "Reset Actions"
  • Click the "Send Email" button. This will send an email to the user, with a URL link requesting they configure TOTP and set a password
  • An email confirmation dialog box will appear if the email was sent successfully.
  1. Go back to the Users page
  2. Click "View all users"
  3. New user should appear in the list of all users:

Resetting existing user's OTP

If an existing user's OTP needs resetting, then:

  1. Go to the "Users" page:
  2. Search for the user using their email address:
  3. Go to the user's details
  4. Under "Required User Actions" section add the "Configure OTP (CONFIGURE_TOTP)" option
  5. Go to the user's Credentials tab
  6. Select "Delete" next to their existing OTP entry to remove their current OTP credentials
  7. Inform the user to delete any previous OTP accounts in their authenticator app before they set up their new OTP
  8. When the user signs in with their existing email and password they will be prompted on screen to scan a new QR code to set up their OTP

Resetting existing user's password

If an existing user's password needs resetting, then:

  1. Go to the "Users" page:
  2. Search for the user using their email address:
  3. Go to the user's details
  4. Go to the user's Credentials tab
  5. Select "Delete" next to their existing password to remove their password credentials
  6. Under the "Credentials Reset" section add the "Update Password (UPDATE_PASSWORD)" option to the "Reset Actions":
  7. Click the "Send Email" button. This will send an email to the user, with a URL link requesting they reset their password
  8. An email confirmation dialog box will appear if the email was sent successfully.

Disabled user account

A user's account maybe become disabled for several reasons:

  • too many failed log in attempts
  • manually disabled

A disabled user account will look like this:

On the Details tab the User Enabled toggle will be set to Off

If a user's account is disabled it is not possible to send an email to the user.

Re-enable a user account

To re-enable the user's account, and allow the sending of email:

  1. Change the User Enabled toggle to On; and
  2. Click Save
  3. The user account should then look like this:

Find a user on Keycloak with just the user ID

To locate a specific user when you only have their user ID code:

  1. Navigate to any user's details
  2. In the url, you'll see the users ID. Change that by overtyping the ID of the user you want to find.
  3. Refresh the page and it will take you to that user's full details.