# User accounts and access control
As a general principle, users are only given access to the resources they need to do their job. When a user's responsibilities change or they leave then access to any resources should be reviwed and removed / ammended as appropriate.
Two-factor authentication (TFA) should be used when available.
# Authenticated services
Agile Collective use the following services:
# Types of user
When talking about groups of people who may have accounts on the different services this page makes the following distinctions:
- Employees: Anyone with an employment contract with Agile Collective. This include sole trader members.
- Collaborators: The community of freelancers and contractors who work with Agile Collective.
- Clients: People who use Agile Collective's services, either as a customer or indirectly by working with a customer.
When someone joins Agile Collective – whether as an employee or collaborator – they will likely be given a Google account. This provides email, calendar and access to our shared Google Drive. Unlimited access to the Google Drive folder should only be given to employees of Agile Collective. Collaborators should only have access to the folders they need to do their job (typically specific to a particular client or project). When they no longer need access to that folder(s) (e.g. the project finishes) then access should be removed.
Members of Agile Collective are assigned the Super Admin role. All other accounts should just be standard accounts.
Project managers may assign access to folders / files in Drive to collaborators and clients as part of any project work. Access to these files should be removed once it's no longer required, usually as part of project cessation.
When an employee leaves or we are no longer working with a contractor their Google account should be disabled to prevent access. Accounts that have been diasabled for more than one year will be deleted.
Members of the People or Tech Circle should create / disable / delete accounts as part of the onboarding / offboarding process.
Google accounts should use TFA.
Anyone needing access to the servers will have their own account on the server with access over SSH using key files.
All members of the Support and Tech Circles have access to all client and internal web servers with sudo privileges. Access to servers providing core internal services is restricted to members of the Tech Circle and sysadmins.
Collaborators who need access to a server will have an account created for them as required. When they no longer require access the account will be removed.
Sometimes a client will need access to their servers, in which case users are created on their servers as required. These users should have the minimum permissions required. For password protected and SFTP accounts the user should ideally be chrooted to their home directory.
All user accounts are created and removed using Ansible with only sysadmins able to create or delete accounts. Requests to change an account should be made in the Rocket #devops channel.
All employees may have accounts on the CRM. Only members of the BD and Tech circles should have admin accounts.
Accounts are managed by the BD and Tech circles.
All employees, collaborators and clients may be given accounts in Figma.
Accounts are managed by the Design Circle.
All employees may have Forecast accounts. Only Agile Collective members or probationary members should have view and edit permissions, everyone else should just have view permissions.
Accounts are managed by the People Circle.
All employees, collaborators and clients can request a Gitlab account. Employees are given access to all projects and groups. Collaborators are only given access to projects and groups they required. Clients have external accounts and are only given access to the projects they're associated with.
Only members of the Support and Tech circles have admin accounts.
The Tech Circle will create accounts for employees as part of the onboarding process and will remove access to projects and groups as part of the offboarding process. Accounts and access for collaborators and clients can be created by the Tech Circle as required.
Gitlab accounts should use TFA.
All employees and collaborators may have Harvest accounts. Only Agile Collective members should have administrator permissions. Employees who are not members should have manager permissions. Collaborators should have member permissions.
Employees should have full access to all projects. Collaborators (or contractors as they're known in Harvest) should be given access to projects they are working on and this should be removed when they no longer need access.
Accounts are managed by the People Circle. Project managers should add contractors to projects at the start of the project and remove them once it's finished.
All Agile Collective members and probationary members should have an account on Loomio. This should be removed when someone is no longer a member.
All employees, collaborators and clients may be given accounts in Miro.
Accounts are managed by the Design Circle.
All employees can be given access to Passbolt. Only members have full access to everything. Probationary members have basic access to the Agile Collective passwords. Sysadmins have access to the 'Servers' group. Support staff have access to the 'Supported sites' group.
Accounts are created / removed by the People or Tech circles as part of the onboarding / offboarding process.
All employees and collaborators have accounts in Rocket. When people leave their account should be disabled. Only members of the Tech Circle are assigned the admin role. Employees should have the member role. Collaborators should only be assigned the user role.
When someone leaves they should be removed from any channels used for internal communications.
Members of the Tech Circle will add and remove users as requested.
All employees, collaborators and clients can have accounts in the Support system. Only members of the Support and Tech Circles should have admin rights.
User accounts will be created and disabled as required by the Support or Tech circles.
All employees, collaborators and clients can have accounts in Taiga. Access to Taiga projects is given as required. All employees may have access to project and circle project boards. When an employee leaves they should be removed from all circle and other project boards.
All employees may be given accounts in Xero. Only members of the Finance Circle should have extended privileges.
Accounts are managed by the Finance Circle.
Xero accounts should use TFA.