Access rights for ACOM, web conferences and advice drafting groups

[colinpmillar]

Summary

ADGs and web conferences may need to be able to look into the code and results from individual assessments. A decision on who can access what needs to be decided. This should be considered by ACOM, as it may be overkill to allow all ACOM members full access to all assessment repositories.

task list (draft - to be reviewed by TAFGOV)

• Work out the requirements, who need to access what - code, input data, results
• Make a proposal to ACOM
• Test implementation
• Implement in full

related issues

[jensr]

Does github support group permissions? E.g. can you establish groups for ACOM reviewers and then jsut add a single group to permissions? Not sure if github has a feature like that, and if it can be used to link across the ICES/ActiveDirectory type structure.

[colinpmillar]

Yes we can :) this is how we are starting to work now - we have groups (or teams in GH parlance) and the membership is based on the mebership in the ICES meetings system (RCT). We have developing systems that monitor the ICES list of members and add or remove from the github teams (note the word developing, there are still teathing problems).

I will need to understand how reviewers are recorded in RCT to understand how the case for reviewers will work, if they are members of the ADG then this will be easy.

[clordan]

My strong preference is to make all final assessment repositories available as read only to all ACOM members and alternates in advance of the ADG and WC. Observers and non-ACOM participants should only be allowed to see the repos pertaining to their ADG.

[colinpmillar]

Discussions with Mark DC: agreed

[colinpmillar]

@colinpmillar to check with some ACOM members that they can access the assessment repositories. This can be done during ACOM meeting 9/3/2021-10/3/2021

[colinpmillar]

User claims are now linked to the updated CRM (content resource managament) system in ICES, and we can identify the groups people are attached to (ACOM, ADGs etc). WHat needs to be done now is to open up the pages and repositories to ACOM and the apprporiuate ADG.

[colinpmillar]

users can check their claims in R using the icesConnect package, installed via:

options(repos = c(
  icestoolsprod = 'https://ices-tools-prod.r-universe.dev',
  CRAN = 'https://cloud.r-project.org'))

# Install some packages
install.packages('icesConnect')

then run:

icesConnect::decode_token()

to see a list of claims

[colinpmillar]

It is important to keep github access and ICES group membership in sync. this would probably be done using a daily procedure that would add and remove members from the ices-taf and ices-eg group members.

We also need to communicate to ICES community that GitHub access to repos depends on linking your giothub username with your ICES account

[colinpmillar]

the importance of automating this task was highlighted.
Work remaining

• link to the github API for adding and removing users from teams.
• implement how to refresh groups when members leave and join
• what to do when users have not provided thier github username
• importance of getting users to link thier github username with ICES

[colinpmillar]

We have a system in place where we can manually update groups quickly and easily, the steps in the process are:

• check group membership within ICES systems
• For users who have connected thier GitHub account: invite them to the approprate groups (this includes ACOM)
• For users who have not connected thier GitHub, send an email informing them that if they wich access to GitHub resources to create a github account and link it with ICES (not active - ACOM chair wanted to ask ACOM members and EG chairs to encourage members to do this first, then we will activeate this step)