Access Control
Auth0 Allows an organisational account to have multiple tenants (one for each service). We currently run a single tenant - Voluntarily.
Auth0 then allows multiple people to be added as admins for the tenant.
Current admins (Jan 2020) are
Andrew Watkins (as Ops Manager),
James Goodman TEC (As TEC Integration developer, to allow integration of Auth0 with ESL )
Admin Permissions Process
To be given admin rights you must:
Be a technical employee of Voluntarily or Integration partner
or be a trusted and experienced, long term contributor we have met in person.
To allocate a new admin an existing admin must add an Invite to the new admin.
Revoking Permissions
Revoke access here https://manage.auth0.com/dashboard/au/voluntarily/tenant/admins .
Access will be revoked for a person:
No longer meeting the above requirements.
Not requiring access a change to the service for more than 12 months.
Any action causing malicious harm to the project/codebase.
Any action breaking the code of conduct towards others.
Any illegal activity
Auditing Permissions and Changes
All changes are listed in the tenant logs. These should be reviewed quarterly.
Asset protection and disaster recovery
Risk of losing access to the service
We would lose access to the service under the following circumstances
failure of Auth0 or withdrawal of the service
loss of Open Source status and/or failure to pay service charges
a malicious person gaining admin access as admin, removing other admins and disabling the tenancy.
Impact of losing access to service
If the service is lost then existing users would not be able to sign-in and use the service, access their accounts (including Voluntarily admins). We would have to:
identify an alternative fallback authentication service - e.g Okta or built in library
update the platform to use the new service apis
migrate the user accounts.
contact and request all users to reset their passwords (if database accounts).
Social and Enterprise sign in would not require password reset.
This could result in a 2-week outage.
Backup Process
Currently None.
In theory, we can use the Management API to extract a copy of our configuration.
Support - Managing User Identities
UI to help administrators manage user identities including password resets, creating and provisioning, blocking and deleting users.
https://manage.auth0.com/dashboard/au/voluntarily/users
Monitoring
The Logs facility gives admin access to all sign-in and config changes
https://manage.auth0.com/dashboard/au/voluntarily/logs
Add Comment