Merge pull request #696 from lsst-dm/u/jchiang/onboarding_updates

reformat and re-organize onboarding steps
lsst-dm · Sep 24, 2024 · e963f1e · e963f1e
2 parents f68d2db + f4ad64e
commit e963f1e
Showing 1 changed file with 72 additions and 78 deletions.
diff --git a/usdf/onboarding.rst b/usdf/onboarding.rst
@@ -3,108 +3,102 @@ SLAC Onboarding Procedure
 ############################
 
 Overview
-=============================
+========
 
 The SLAC onboarding procedure involves the following steps:
 
-- join the SLAC HEP users organization, SLUO
-   - fill out the SLAC Users Organization (SLUO) form
-   - fill out the SLAC Site Access Portal form
-- **As of April 15 2024, IT is again creating Active Directory (AD) and unix accounts (of the same name).** The AD account is only used for annual cyber training and web access to Service Now (SLAC IT ticketing system). The AD account needs to be accessed every 60 days; notifications are sent out.
-- IT creates the accounts and sends a link to reset the passwords
-- do the SLAC Cyber training
+#. Join the SLAC Users Organization, SLUO
+#. Fill out the SLAC Site Access Portal form
+#. Request a username and access to S3DF batch repos
+#. Do the SLAC cyber training
 
-**If you are an in-kind contributor, you'll need to be listed in** `SITCOMTN-050 <https://sitcomtn-050.lsst.io/>`__.
+SLAC IT will create Active Directory (AD) and unix accounts (for the same username).  The AD account is only used for annual cyber training and web access to Service Now, the SLAC IT ticketing system. The AD account needs to be accessed every 60 days; notifications are sent out.  Once IT creates the accounts, a link will be emailed to reset the passwords.
 
-**If you already have a SLAC unix account, you do not need to be re-onboarded.**
+Notes:
 
-Note that if you only have a SLAC Confluence account (eg for DESC or LSSTCam), you will still need to be onboarded as a user **and** there will be complications with your accounts. SLAC and Rubin confluence sites are independent installations.
+* If you are an in-kind contributor, you'll need to be listed in `SITCOMTN-050 <https://sitcomtn-050.lsst.io/>`__.
+* If you already have a SLAC unix account, you do not need to be re-onboarded. However, you may need to follow step 3 below.
+* If you only have a SLAC Confluence account (e.g., for DESC or LSSTCam), you will still need to be onboarded as a user, **and** there will be complications with your accounts. SLAC and Rubin Confluence sites are independent installations.
 
-- if your existing Confluence account name is longer than 8 characters (or if for some reason your unix account name did not match your confluence one), you will need a different name. In that case, a new Confluence identity is created using your unix account name, added to DESC permissions, and your old account deleted.
-- else: you will need to login to Confluence once with the unix password, then the Confluence admins will merge the unix and Confluence identities.
-- once all this happens, Confluence will use your unix account password for authentication; if it expires, it's the unix account password that needs changing; there is no longer a specific Confluence account/password. 
+  - If your existing Confluence account name is longer than 8 characters (or if for some reason your unix account name did not match your Confluence one), you will need a different name. In that case, a new Confluence identity is created using your unix account name, added to DESC permissions, and your old account is deleted.
+  - Otherwise, you will need to login to Confluence once with the unix password, then the Confluence admins will merge the unix and Confluence identities.
+  - Once all this happens, Confluence will use your unix account password for authentication; if it expires, it's the unix account password that will need to be changed. There are no longer Confluence-specific accounts/passwords.
 
-Procedure Details
-=============================
+Onboarding Steps
+================
 
-To obtain a SLAC SID number and SLAC account, you first need to become a SLAC User. Please follow the below steps and complete the registration form.
+Please follow the steps below to complete the onboarding process.
 
-New users are required to complete the SLUO registration form using this `form <https://it.slac.stanford.edu/identity/scientific-collaborative-researcher-registration>`__.
-The link also points to documentation on the process.
+1. SLUO Registration
+""""""""""""""""""""
+New users are required to register as a SLAC User via the **Enrollment** button at the bottom of the `SLAC Scientific Collaborative Research Registration <https://it.slac.stanford.edu/identity/scientific-collaborative-researcher-registration>`__ page.  Also linked at that page are `step-by-step instructions for that process <https://it.slac.stanford.edu/support/KB0012289>`__.
 
-Notes:
- - Experiment: select Vera C. Rubin Observatory
-
-Notes for Portal:
- - **If your institution is missing, let Sierra Villarreal know, to get it added to the list**
- - Emergency contact: your own personal contact - relative, friend.
- - Group: select "FPD Technology & Operations"
- - details of visit and project name: Using SLAC computing resources to collaborate on Rubin Operations. Seems optional to include your home institution.
- - Funding source: choose your majority support source
- - Time at SLAC: this is physically on site. For most people, this is <10%. Occasional visits for meetings don't count.
- - Start date: choose today
- - Answer "yes" to will you be performing work at SLAC
- - SLAC Spokesperson/Sponsor/Supervisor: Select Sierra Villarreal (Antonia Villarreal on the Site Access Form).
-
-1)	When the user submits the onboarding request form, the form is
-	then sent to several approvers before a SLAC ID is granted.
-
-	If the user is a US citizen, the completed onboarding form is
-	first routed to the SLAC poc then to the SLAC HR team for SLAC
-	ID duplicate check and issue the SLAC ID number.
-
-	If the user is a non-US citizen, the completed onboarding form is first routed to the SLAC poc then to the VUE Center Coordinator and to the SLAC HR team for SLAC ID duplicate check and issue the SLAC ID number.
-
-2)	After the SLAC SID number is issued, the VUE Center Coordinator completes the user’s SLUO registration form and sends an email to the user with instructions of the next steps. 
-
-3)	The SLAC POC submits a ticket to IT requesting a SLAC account
-	for the new user. Be sure to tell the POC your preferred account name (and second choice).
-
-4) SLAC IT will send a url to the user to reset their initial
-    password
-
-5) SLAC Cyber training must be done within 2 weeks to keep the
-    account enabled.
-
-
-Troubleshooting Accounts
-=============================
+Notes for the SLAC User Registration form:
 
-Check that you are a member of the rubin_users group:
+- For SLAC Project, select "Vera C. Rubin Observatory".
 
-id <your account>
+2. Site Access Portal form
+""""""""""""""""""""""""""
+Once the your SLAC Point-of-Contact (POC), Sierra Villarreal, has approved your request, you will receive an email to fill out the SLAC Site Access form.
 
-Accounts can get disabled a number of ways:
+Notes for the Site Access form:
+
+- If your institution is missing, let Sierra know, and she will have it added to the list.
+- Emergency Contact: Your own personal contact, e.g., relative, friend.
+- Group: Select "FPD Technology & Operations".
+- Details of visit and project name:  "Using SLAC computing resources to collaborate on Rubin Operations."  (It seems to be optional to include your home institution.)
+- Funding Source: Choose your majority support source.
+- Time at SLAC: This is for being physically on site. For most people, this is <10%. Occasional visits for meetings don't count.
+- Start date: Choose today.
+- Will you be performing work at SLAC: "Yes".
+- SLAC Spokesperson/Sponsor/Supervisor: Select Sierra Villarreal ("Antonia Villarreal" on the Site Access Portal form).
+
+3. Username Request and S3DF Batch Repo Access
+""""""""""""""""""""""""""""""""""""""""""""""
+
+Once the Site Access form has been approved, another email will be sent out with your SLAC System ID (SID).  Once the SID has been assigned, computing accounts can be made.  At this point, email your POC, Sierra (sierrav@slac.stanford.edu), with your first and second choice usernames (these are limited to no more than 8 alphanumeric characters), and she will submit a ticket to IT with the account request.  Once your account is activated, Sierra will email you a link to request S3DF batch repo access.
 
-- Every 6 months password changes (change pw - `unix <https://unix-password.slac.stanford.edu/>`__)
-- Every year Cyber training `(link <https://slactraining.skillport.com/skillportfe/login.action>`__)
-- They can also be locked out if they've forgotten their password(s)
-  or put in too many attempts with the wrong password. (`ticket <https://slacprod.servicenowservices.com/gethelp.do>`__ to request a reset)
+4. Cyber Training
+"""""""""""""""""
 
-The user is warned about all these events, but in case they've been ignored/forgotten, how to figure out which it is and how to fix it?
+Cyber training comes up annually. You will need to use your Active Directory (aka Windows) account to log into the training website.  Note that you will need to use your SLAC SID wherever a "username" is requested.
 
-- The accounts `site <https://www-internal.slac.stanford.edu/comp/admin/bin/account-search.asp>`__ can tell us if the account is disabled
-   - if none disabled, then it's due to password expire
-
-- The training `site <https://www-internal.slac.stanford.edu/esh-db/training/slaconly/bin/ETA_ReportAll.asp?opt=6>`__ can tell us if Cyber is expired. If it has:
+The SLAC training website is https://slactraining.csod.com/ and the interim training password is "SLACtraining2005!". If it does not work, email slac-training via the link on that entry page and ask them to reset it. Then go back to the original link, enter your SID and this password, and do course CS100.  DO NOT click on "Forgot Password?".
 
-Cyber Training
-==============
+Note that if you have received an email saying that your training is coming due, the SLAC System ID (SID) is embedded in the url in the email as "sid=xxxxxx".
 
-Cyber training comes up annually. If you have an Active Directory (aka Windows) account, just follow the instructions to login with that account.
+If you still have problems, ask your SLAC POC for help.
 
-There are issues with the training system at the moment if you only have a unix account, so here is (hopefully) temporary advice on how to navigate it (note that if you got an email saying your training is coming due, the SLAC ID (SID) is embedded in the url in the email - that is the xxxxxxx in the instructions below - if your account has not been disabled, you can ssh to centos7 and issue the command:
+**SLAC cyber training must be done within 2 weeks to keep the account enabled.**
 
-res list user <your unix account name>
+**Final Notes:**
 
-which will give your SID (along with your account status).
+When the user submits the onboarding request form, the form is
+sent to several approvers before a SLAC SID is granted.
+If the user is a US citizen, the completed onboarding form is
+routed to the SLAC POC, then to the SLAC HR team for a
+duplicate SID check.
+If the user is a non-US citizen, the completed onboarding form is routed to the SLAC POC, then to the VUE Center Coordinator, and then to the SLAC HR team for a duplicate SID check.
 
-if none of that works, ask your SLAC Point of Contact):
 
-You need to go to the url below; DO NOT click on forgot password. Give it your system id  (SID) number.
+Troubleshooting Accounts
+========================
+
+From an S3DF node, check that you are a member of the ``rubin_users`` group::
+
+  $ id <your username>
+
+Contact your SLAC POC to request access to that group.
+
+Accounts can get disabled a number of ways:
+
+- Out-of-date password (`unix password reset <https://unix-password.slac.stanford.edu/>`__).
+- Out-of-date cyber training (`training link <https://slactraining.skillport.com/skillportfe/login.action>`__)
+- Accounts can also be locked out if too many attempts with the wrong password are made. (File a `Service Now ticket <https://slacprod.servicenowservices.com/gethelp.do>`__ to request a reset.)
 
-Note: the interim training password  is "SLACtraining2005!". If it does not work, email slac-training, asking them to reset it. Then go back to the original link, enter SID and this password. Then do CS100.
+Users are warned via several emails about these events, but in case those emails have been ignored/forgotten, the following resources can be used to find any issues:
 
-https://slactraining.csod.com/
+- The `accounts site <https://www-internal.slac.stanford.edu/comp/admin/bin/account-search.asp>`__  can tell us if the account is disabled.  If it's not disabled, then the password has expired.
+- The `training site <https://www-internal.slac.stanford.edu/esh-db/training/slaconly/bin/ETA_ReportAll.asp?opt=6>`__ can tell us if cyber training has expired.
 
-Basically, always use the SID where "user name" is requested.
+Currently, both of these sites are only available within the SLAC internal network.