As an admin, I need to understand how a new STT user will be validated

[shubhi-raft]

Description:
A new user that is a representative of an STT cannot be solely verified via a new users' email domain. In the proposed approach, the onus is on the STT admin to validate new users, however, there may be security concerns around how PII is handled, what is acceptable, and who has access to this information. This issue will document our approach to validating new STT users, assumptions, and any OCIO governance or security controls that need to be accounted for.

AC:

• Document approach (e.g., artifact for get an input for notional validation process) to validate a new STT user including assumptions that shall be tested in Round 3 and/or future rounds of research

Tasks:

• Schedule meeting(s) with OCIO, O&M, OFA, 18F, etc., to discuss the current process and future approach
• Document the meeting notes and update the proposed approach and assumptions, if necessary

Note:

• This issue is dependent of schedule availability of OCIO, OFA, O&M, and 18F and may be pushed into next sprint if schedules don't align or if more than one meeting is needed.
• Shubhi will work with Lauren to create a draft a list of attendees that can represent OCIO, O&M, and other OCIO divisions.

Open Questions:

• What do we need to know for MVP?
  -- Documented in updated roadmap presentation.
• How might we differentiate between verifying a STT user vs a STT admin?
  -- For OFA MVP, STT admin will be a regional specialist
• How do we ensure assumptions we are making for STT admins are correct?
  -- Discussing with regional specialists
• What phase of research do we want to talk to STTs about this? Could be part of the conversation guide for Round 3.
  -- Since round 3 does not include any discussions with regional specialists, this will be a separate discussion. As Regional Staff, I want to approve access a new STT user #322

Answers to OQ:

• What do we need to know for MVP?
• How might we differentiate between verifying a STT user vs a STT admin?
• How do we ensure assumptions we are making for STT admins are correct?
• What phase of research do we want to talk to STTs about this? Could be part of the conversation guide for Round 3.

Deliverable(s):

• Link to the presentation shared with IPT is here. The last slide 'Approach for OFA MVP' lists the agreed upon approach for OFA MVP.
• New issue created to track some of the open questions - As Regional Staff, I want to approve access a new STT user #322

[lfrohlich]

Penyin will send access management documentation for the current TDRS and the latest access management policy.
Section 2 of SSP.
Controls related to access as part of first epic.

[lfrohlich]

This was done as part of Sprint 5 #63