Reviewing admin-level access to sites

DRAFT

In line with OICT requirements, the system administrator will do a monthly review to examine admin-level access in server logs, and the number of people who have admin-level access, both for CKAN and WordPress. For CKAN, "admin-level" refers only to site administrators, not to org administrators.

The system administrator (Serban as of 2017-10-02) will deliver the following report to the head of operations (Aidan as of 2017-10-02) during the first week of every month:

  1. A list of all site-admin-level users who accessed non-public areas of CKAN in the previous month.
  2. A list of all admin-level users who accessed non-public areas of WordPress in the previous month.
  3. A list of all users who had site-admin-level access to CKAN on the last day of the previous month.
  4. A list of all users who had admin-level access to WordPress on the last day of the previous month.

The head of operations will review the lists and take the following actions:

  • Flag any suspect activity for further review.
  • Request the removal of any users who have left the Digital Data Services team over the past month, or who otherwise no longer require admin-level access to the system in question.