Reviewing admin-level access to sites
DRAFT
In line with OICT requirements, the system administrator will do a monthly review to examine admin-level access in server logs, and the number of people who have admin-level access, both for CKAN and WordPress. For CKAN, "admin-level" refers only to site administrators, not to org administrators.
The system administrator (Serban as of 2017-10-02) will deliver the following report to the head of operations (Aidan as of 2017-10-02) during the first week of every month:
- A list of all site-admin-level users who accessed non-public areas of CKAN in the previous month.
- A list of all admin-level users who accessed non-public areas of WordPress in the previous month.
- A list of all users who had site-admin-level access to CKAN on the last day of the previous month.
- A list of all users who had admin-level access to WordPress on the last day of the previous month.
The head of operations will review the lists and take the following actions:
- Flag any suspect activity for further review.
- Request the removal of any users who have left the Digital Data Services team over the past month, or who otherwise no longer require admin-level access to the system in question.