3. Trust Group Administration

Attention

The way that the Trident portal is installed and configured using the DIMS Ansible playbooks v 2.14.0, some of the trust group configuration settings are set by the roles trident-core and trident-configure. As described in Section Backup Directories and Files, any configuration changes made through the tcli command line interface, or the Trident portal interface, are independent of the variables in the Ansible inventory used to bootstrap the Trident portal. That means that any changes made interactively will be reverted to what the inventory says they should be the next time the trident-configure role is applied.

3.1. Trust Group Administrators

There may be more than one administrator in each trust group, depending on the size and the activity level of the trust groups. The larger the group, the more likely you will want more than one administrator to ensure that there are multiple people keeping an eye on the portal and handling trust group policy issues, as well as to make sure there is always someone available in case of emergencies to keep the portal running.

Trust group administrators work with the site administrators to ensure trust policy settings match the desired policy of the organization, including things like branding, icons, domain names, etc.

While there are references in this document to Ansible inventory settings, including excerpts from the inventory file showing the names of variables, this document does not cover the underlying system administration aspects of installing, updating, or patching the underlying operating portal system. It assumes that installation and configuration management of the server(s) providing the Trident web and command line interfaces, Postgres database back end, and Postfix email services were done as described in the DIMS Ansible playbooks v 2.14.0 document. Look to that document for operating system level instructions.

3.2. TG Admin Responsibilities

TG admins should familiarize themselves with the history and political issues that may arise when leading trust groups that were mentioned in Chapter Trust Groups and Trident. Other things that TG admins should do include:

• Ensuring new TG members are aware of their responsibilities in regards to vetting, vouching, and handling sensitive information. This includes adjudicating issues regarding potential breaches of trust related to publication or public release of information shared in the trust group.
• Working with site administrators to work out and understand disaster recovery procedures in the event of hardware failures, emergency response procedures in the event of system outages during critical events, procedures for account revocation or temporary account disablement in the event of suspected account compromise, or other continuity of operations issues.
• Ensuring accuracy in meeting schedules, availability of dialup or online meeting systems availability for group teleconferences, and other administrivia.
• Handle password recovery and related account maintainence tasks for trust group members.

Most of these tasks can and should be addressed with content placed into the trust group wiki, where trust group members can refer to it whenever they need. This also puts it behind the secure login front end of the portal, so there is no need to share anything in clear text emails beyond an URL referring to the content in the wiki (as long as the path and file name does not expose sensitive information), or just a general reference to “see the TG wiki for more information.” Figure Main TG wiki page shows what that might look like. (Editing this page is covered in Section Using the Wiki).

Main TG wiki page

3.3. Setting Trust Group Policies

There are a group of policy settings that can be applied to each trust group. They are found in the Settings page on the Group menu as seen in Figure :ref:

Main TG Settings

The following subset of variables from the inventory/trident/nodes.yml YAML inventory file show those settings that are supported by ansible-dims-playbooks. The names of the variables reflect those you would use in tcli command lines (tcli is the Trident Command Line Interface).

trident_site_trust_groups:
  - name: 'main'
    settings:
      descr: 'Main TG'
      pgp_required: 'no'
      has_wiki: 'yes'
      has_file: 'yes'
      has_calendar: 'yes'
      please_vouch: 'yes'
      vouch_adminonly: 'no'
      min_invouch: 0
      min_outvouch: 0
      target_invouch: 0
      max_inactivity: '4320:00:00'
      can_time_out: 'no'
      max_vouchdays: 0
      idle_guard: '168:00:00'
      nom_enabled: 'yes'

These are described by pop ups in the Settings panel, or can be seen by using the CLI option to run tcli commands through the portal GUI. To do this, your account must be an admin account, and you must toggle UserMode to be SysAdmin or use system swapadmin before issuing system set to see help information about the settings as shown in Figure CLI system set (part 1) and Figure CLI system set (part 2).

CLI system set (part 1)

CLI system set (part 2)

You would use system get to get the current settings, while system set would set them to new values.

3.4. Resetting Passwords

Resetting a user’s password can be done directly by explicitly setting it immediately, or indirectly by triggering an email exchange that the user can manage independantly of the system administrator.

You can reset the password or trigger a password recovery operation using the tcli command line interface, or the graphical user interface. The use of tcli is shown here.

1. Log into trident

   $ tcli system login trident THETRIDENTADMINPASSWORD
   Login successful
   

2. Enable system administrator mode.

   $ tcli system swapadmin
   Now a SysAdmin user
   

3. To directly reset the user’s password, use the set option as illustrated by the following command:

   $ tcli user password set portal davedittrich NEWPASSWORD NEWPASSWORD
   

   Note

   The word portal in this command specifies the type of password being set. In this case, it is the user’s portal account.

   Attention

   If password rules are being enforced by the portal, the string you provide when directly setting the new password must conform with the minimum standards as set in System / Settings.

4. To indirectly reset the password, use the reset optin. Using the account name of the user whose password needs to be reset (in this example, davedittrich), and the account name of the person who originally nominated that user (in this example, trident), enter the following command:

   $ tcli user password reset davedittrich trident
   Recovery passwords sent to the user and trident
   

5. The user (davedittrich) will receive an email that looks like this:

   From: Trident Portal <bounce@trident.example.com>
   Subject: [Trident Portal] Password Reset (User Portion)
   To: Dave Dittrich <dave.dittrich@gmail.com>
   
   Dear Dave Dittrich,
   
   A password reset request was made.
   
   We are therefor sending you two token portions.
   The user portion is in this email, the other portion
   has been sent to your nominator who will forward it in
   a secure method towards you.
   
   Your nominator is:
    Trident Administrator <dittrich@u.washington.edu>
   
   When both parts have been received by you, please proceed to:
     https://trident.example.com/recover/
   and enter the following password in the User Portion:
     3zXhvsJ1LRkH-27d
   
   If you do not perform this reset the request will be canceled.
   
   Regards,
     Trident Administrator for Trident Portal
   
   --
   Trident Portal -- https://trident.example.com
   

6. The nominator (trident) will receive an email that looks like this:

   From: Trident Portal <bounce@trident.example.com>
   Subject: [Trident Portal] Password Reset (Nominator Portion)
   To: Trident Administrator <dittrich@u.washington.edu>
   
   Dear Trident Administrator,
   
   A password reset request was made for:
    Dave Dittrich <dave.dittrich@gmail.com>
   
   As you are a nominator of this person, you are receiving
   the second portion of this email.
   
   Please securely inform Dave Dittrich
   of the following Nominator Portion of the password reset:
     p5Am9Agk8H09M6s0
   
   Regards,
     Trident Administrator for Trident Portal
   
   --
   Trident Portal -- https://trident.example.com
   

   The nominator should now follow the instructions and securely communicate the nominator portion of the recovery key to the user, such as over a telephone call, through encrypted email, etc.

   Note

   Since the recovery key is split into two parts, it will be difficult (though not entirely impossible, depending on the situation) for an adversary to obtain both parts of the recovery key without the user being aware.

7. Once the user has both portions of the recovery key, they follow the link in their copy of the email and enter their username, both portions of the recovery key, a new password, and again to confirm the password, then press the button to reset the password. After this, they will receive a confirmation email that the password has been reset.

   From: Trident Portal <bounce@trident.example.com>
   Subject: [Trident Portal] Password changed
   To: Dave Dittrich <dave.dittrich@gmail.com>
   
   Dear Dave Dittrich,
   
   Somebody (probably you) has changed the password associated to your account:
     dave.dittrich@gmail.com
   
   If you did not change your password, please reply to the administrator at:
      Trident Administrator <dittrich@u.washington.edu>
   and we will try to figure out what went wrong.
   
   Regards,
     Trident Administrator for Trident Portal
   
   --
   Trident Portal -- https://trident.example.com
   

   Attention

   Users should be told that if they ever receive an email notification that their password has been changed and they did not participate, they should immediately use another email account or communication mechanism (such as a phone call) to inform the system administrators about the suspicious activity!