Differences

This shows you the differences between two versions of the page.

--- technical:generic:account-audit-portal [2026-01-14 15:20] – frey
+++ technical:generic:account-audit-portal [2026-01-15 12:00] (current) – frey
@@ Line 3: / Line 3: @@
 The IT Research Cyberinfrastructure (IT-RCI) team conducts periodic audits of all user accounts on the research computing systems in accordance with the University of Delaware IT Security guidelines.  These account audits are critical to protecting the integrity and security of our HPC systems and other University assets.  Unused or outdated accounts pose a significant security risk:  compromised credentials could allow unauthorized access to research computing resources and potentially other UD systems.
-All accounts have at least one sponsor on the system(s) so, under an account audit, sponsors must indicate the ongoing status of every extant account s/he has okayed.  To collect these dispositions, a web portal has been created to be used by sponsors.  The portal presents and queries only the pertinent information:  the format is (hopefully) intuitive and self-guiding.
+All accounts have at least one workgroup sponsor on the system(s) so, under an account audit, administrative contacts for the workgroups must indicate the ongoing status of every extant account previously approved.  To collect these dispositions, a web portal has been created to be used by workgroups' administrative contacts.  The portal presents and queries only the pertinent information:  the format is (hopefully!) intuitive and self-guiding.
-====== An audit begins ======
+===== An audit begins =====
 Every IT-RCI workgroup has one or more individuals listed as contacts for administrative functions.  When IT-RCI begins an account audit, all such individuals will be emailed to direct them to login to the audit portal and fill-out disposition records for every user present in the workgroup at that time.
-====== Login ======
+<note important>The audit portal embodies workgroup memberships //as of the date the audit began//.  New accounts added //after the audit has begun// will not appear in the portal.</note>
+===== Login =====
 Most workgroup contacts possess an IT-RCI account, and that account should be used to authenticate on the audit portal.  For example, the IT-RCI user ''trainf'' acting as contact on a workgroup should authenticate with the username ''trainf'' and the IT-RCI password.
-Contacts who do **not** possess an IT-RCI account will have a UDelNet Id and password for central University systems (including email).  In this case, the contact's email address and UDelNet password should be used to authenticate on the audit portal.  For example, Betty Crocker is an administrative contact on workgroup ''chocochip'' but has no IT-RCI account; she should use her UD email address, ''crocker@udel.edu'', and UDelNet password.
+Contacts who do **not** possess an IT-RCI account will have a UDelNet ID and password for central University systems (including email).  In this case, the contact's email address and UDelNet password should be used to authenticate on the audit portal.  For example, Betty Crocker is an administrative contact on workgroup ''chocochip'' but has no IT-RCI account; she should use her UD email address, ''crocker@udel.edu'', and UDelNet password.
+The portal exists at [[https://www.hpc.udel.edu/acct-audit/|https://www.hpc.udel.edu/acct-audit/]].
-====== Home page ======
+===== Home page =====
 The account audit portal home page lists all workgroups on which the authenticated user is a contact person:
@@ Line 23: / Line 27: @@
 In this example, the user is contact on the ''it_nss'' workgroup, which has a group id number (GId#) of 1001 and project id number (PId#) of 1.  The progress bar shows that 66.67% of the user disposition records have been collected.  The **EDIT** button can be clicked to access user disposition records for that workgroup to progress toward the goal of 100%.
-====== Edit workgroup ======
+===== Edit workgroup =====
 After clicking the **EDIT** button, a page displaying the workgroup summary appears:
@@ Line 40: / Line 44: @@
 Cluster names in green have had their user dispositions completed.  The **EDIT** button on user ''frey'' can be clicked to update that user's disposition with respect to the Caviness cluster (which appears in red).
-===== Edit user dispositions =====
+==== Edit user dispositions ====
 The top portion of the user dispositions page contains information about the user:
@@ Line 46: / Line 50: @@
 {{ :technical:generic:user_edit.png?w=400 |}}
-The administrative contact(s) can use this information to determine who the user is and whether or not s/he should retain access to IT-RCI systems.
+The administrative contact(s) can use this information to determine who the user is and whether or not access to IT-RCI systems should be retained.
 Below the identity section are the actual per-cluster disposition records.  Since user ''frey'' has not had a disposition set for Caviness yet, that section is our target:
@@ Line 56: / Line 60: @@
 **If the account should be removed from the cluster**, choose the "Remove this user from the cluster" option from the menu and fill-out any storage dispositions that appear (see next section).
-==== Storage dispositions ====
+<note important>At any time the **SAVE CHANGES** button can be clicked to commit modifications to the server.</note>
+=== Storage dispositions ===
 When a user is set to be removed from the cluster, additional fields may appear that request what to do with files owned by that user on workgroup or scratch file systems:
@@ Line 66: / Line 72: @@
 **If the user's files should be deleted (nothing retained)**, choose "Remove files/directories owned by this user" from the menu.
-**If the user's files should be retained and reowned for access by someone else, choose "Reown files/directories owned by this user" from the menu and fill-out the additional fields that appear (see next section).
+**If the user's files should be retained and reowned for access by other user(s)**, choose "Reown files/directories owned by this user" from the menu and fill-out the additional fields that appear (see next section).
-=== Reownership ===
+== Reownership ==
 File ownership can be transferred to a specific user within the workgroup **or** to the workgroup as a whole:
@@ Line 74: / Line 80: @@
 {{ :technical:generic:caviness_disposition_3.png?w=400 |}}
+**If all members of the workgroup should be allowed to access and modify the files**, choose "To the workgroup" from the menu.  All files owned by the user on the file system in question will have their group ownership reassigned explicitly to the workgroup.
+**If a single user in the workgroup should be allowed to access and modify the files**, choose "To a specific workgroup user" from the menu and choose the target user from the menu that appears:
+{{ :technical:generic:caviness_disposition_4.png?w=400 |}}
+<note important>Only members of the workgroup who have accounts on the cluster will appear in the menu for reownership.</note>
+All files owned by the original user on the file system in question will have their user ownership reassigned explicitly to the target user.
+== Fixup permissions ==
+If the "Fixup permissions on reowned file/directories/" checkbox is checked:
+  * **For reownership to the workgroup**, permissions will be altered to give the **group** read+write+execute
+  * **For reownership to a user**, permissions will be altered to give the **user** read+write+execute and the **group** no privileges
+If not checked, then the permissions will not be altered.
+===== Navigation =====
+In the header of each page is a list of breadcrumb links back to the workgroup edit or home page.  With all changes to the ''frey'' account saved, the home button (left-most in the breadcrumb list) can be clicked.  The home page now shows:
+{{ :technical:generic:home_page_2.png?w=400 |}}
+Hooray — all user disposition records have been completed for the workgroup!