@ -36,6 +36,16 @@ th {
}
.strike {
color : blue;
font-weight: bold;
text-decoration:line-through;
}
.change2 {
color : #151B8D;
font-weight: bold;
}
.strike2 {
color : #151B8D;
font-weight: bold;
text-decoration:line-through;
}
a:hover {
@ -48,6 +58,7 @@ a:hover {
< body lang = "en-GB" >
< ul class = "change" >
< li class = "change2" > 20100530: Package of changes to drop the Application Engineer and place those responsibilities back with the Sysadm team. Exception added to permit t/l to bring in a Software Assessor under controlled basis. Because this change is non-trivial, and a compromise in late voting stage, it is marked in a different blue.< / li >
< li > 20100525: Two detail changes from Tom Trnka.< / li >
< li > 20100513: With some consensus from policy group, changed the text in 2.2.1.1 to transfer the detailed handling of pre-purchase risks to SM.< / li >
< li > 20100512: Some clarifying tweaks to semantics supplied by Philipp G, added Arb as a role in 9.1.1. but not as critical role. < / li >
@ -112,13 +123,14 @@ These roles are defined as:
< / p >
< ul > < li >
Access Engineers
Access Engineer
< / li > < li >
Systems Administrators
Systems Administrator
< / li > < li >
Support Engineers
Support Engineer
< / li > < li >
Software Assessors (including Application Engineers)
Software Assessor
< span class = "strike2" > (including Application Engineers)< / span >
< / li > < / ul >
< h4 id = "s1.1.2" > 1.1.2. Out of Scope < / h4 >
@ -172,12 +184,12 @@ deriving from the above principles.
See § 1.1.
< / dd >
< dt > < i > Application Engineer< / i > < / dt >
< dt > < i > < span class = "strike2" > Application Engineer< / i > < / span > < / dt >
< dd >
A Member who manages the critical application,
< span class = "strike2" > A Member who manages the critical application,
including installing them on the critical system,
final testing, emergency patching, and ad hoc scripting.
See § 7.2.
See § 7.2.< / span >
< / dd >
< dt > < i > Software Assessor< / i > < / dt >
@ -388,7 +400,7 @@ one Systems Administrator present.
< p >
There is no inherent authorisation to access the data.
Systems Administrators
< span class = " change ">
< span class = " strike2 ">
and Application Engineers
< / span >
are authorised to access
@ -544,12 +556,17 @@ independent of filed disputes.
< h3 id = "s3.3" > 3.3. Application < / h3 >
< p >
< p class = "strike2" >
Systems administration is to provide a limited environment
to Applications Engineers in order to install and maintain
the application.
< / p >
< p class = "change2" >
Requests for ad hoc queries over the application database for business
or similar purposes must be approved by the Arbitrator.
< / p >
< h3 id = "s3.4" > 3.4. Access control < / h3 >
< p >
@ -595,21 +612,21 @@ authorisations on the below access control lists
< td > < span class = "change" > Systems Administration team leader< / span > < span class = "strike" > Board of CAcert (or designee)< / span > < / td >
< / tr > < tr >
< td > SSH Access List< / td >
< td > Systems Administrators < span class = " change "> and Application Engineers < / span > < / td >
< td > Systems Administrators < span class = " strike2 "> and Application Engineers < / span > < / td >
< td > Unix / account / shell level< / td >
< td > includes by default all on Physical Access List < / td >
< td > Systems Administration team leader< / td >
< / tr > < tr >
< td > Repository Access List< / td >
< td > Application Engineers< / td >
< td > change the source code repository and install patches to application< / td >
< td > < span class = "change2" > Software Assessors< / span > < span class = "strike2" > Application Engineers< / span > < / td >
< td > change the source code repository < span class = "strike2" > and install patches to application< / span > < / td >
< td > exclusive with Access Engineers and Systems Administrators< / td >
< td > software assessment team leader< / td >
< / tr > < tr >
< td > Support Access List< / td >
< td > Support Engineer< / td >
< td > support features in the web application< / td >
< td > < span class = "change" > exclusive with Access Engineers and Systems Administrators; < / span > includes by default all < span class = " change"> Application Engineers< / span > < span class = "strike" > Systems Administrators < / span > < / td >
< td > < span class = "change" > exclusive with Access Engineers and Systems Administrators< / span > < span class = " strike2"> includes by default all Application Engineers Systems Administrators < / span > < / td >
< td > < span class = "strike" > Systems Administration< / span > < span class = "change" > Support< / span > team leader< / td >
< / tr > < / table >
@ -659,17 +676,26 @@ must be strictly controlled.
Passphrases and SSH private keys used for entering into the systems
will be kept private
to CAcert sysadmins
and Application Engineers
< span class = "strike2" > and Application Engineers< / span >
in all cases.
< / p >
< h5 id = "s4.1.1.1" > 4.1.1.1. Authorized users < / h5 >
< p >
Only System Administrators
and Application Engineers
< span class = "strike2" > and Application Engineers< / span >
designated on the Access Lists
in § 3.4.2 are authorized to access accounts,
unless specifically directed by the Arbitrator.
in § 3.4.2 are authorized to access accounts.
< span class = "change2" >
System Administration team leader may temporarily permit Software
Assessors access to the application via SSH in order to do advanced
debugging, or as
< / span >
< span class = "strike2" > Other< / span >
specifically directed by the Arbitrator.
< / p >
< p >
< / p >
< h5 id = "s4.1.1.2" > 4.1.1.2. Access to Systems< / h5 >
@ -951,10 +977,11 @@ Software assessment is not primarily tasked to write the code.
In principle, anyone can submit code changes for approval.
< / p >
< p >
< p class = "q" > Moved to SM 3.3 < / p >
< p class = "strike2" >
The primary tasks for Application Engineers are:
< / p >
< ol > < li >
< ol class = "strike2" > < li >
Installing signed-off patches,
< / li > < li >
Verifying correct running,
@ -1032,7 +1059,8 @@ any Member that requests it.
< h3 id = "s7.6" > 7.6. < span class = "strike" > Handover< / span > < span class = "change" > Production< / span > < / h3 >
< p class = "change" >
< p class = "q" > Blank, now refer to SM 7.6 < / p >
< p class = "strike2" >
The Application Engineer is a role within Software Assessment
team that is approved to install into production the
patches that are signed off.
@ -1048,11 +1076,13 @@ which then must be back-installed into the repositories.
< / span >
< / p >
< p class = "change" >
< p class = "q" > this below moved to § 3.3 < / p >
< p class = "strike2" >
Requests to Application Engineers for ad hoc queries over the database for business or similar purposes must be approved by the Arbitrator.
< / p >
< p >
< p class = "strike2" >
See § 3.3.
< / p >
@ -1145,9 +1175,9 @@ or Case Managers.
< ul >
< li > Access Engineer: responsible for controlling access to hardware, and maintaining hardware. < / li >
< li > System a dministrator: responsible for maintaining core services and integrity. < / li >
< li > System A dministrator: responsible for maintaining core services and integrity. < / li >
< li > Software Assessor: maintain the code base and confirm security ("sign-off") of patches and releases.< / li >
< li > Application Engineer: install application updates and confirm basic working.< / li >
< li class = "strike2" > Application Engineer: install application updates and confirm basic working.< / li >
< li > Support Engineer: human interface with users.< / li >
< li > Team leaders: coordinate with teams, report to Board.< / li >
< li > All: respond to Arbitrator's rulings on changes. Respond to critical security issues. Observe.< / li >