@ -36,6 +36,16 @@ th {
}
}
.strike {
.strike {
color : blue;
color : blue;
font-weight: bold;
text-decoration:line-through;
}
.change2 {
color : #151B8D;
font-weight: bold;
}
.strike2 {
color : #151B8D;
font-weight: bold;
text-decoration:line-through;
text-decoration:line-through;
}
}
a:hover {
a:hover {
@ -48,6 +58,7 @@ a:hover {
< body lang = "en-GB" > < body lang = "en-GB" >
< ul class = "change" > < ul class = "change" >
< li class = "change2" > 20100530: Package of changes to drop the Application Engineer and place those responsibilities back with the Sysadm team. Exception added to permit t/l to bring in a Software Assessor under controlled basis. Because this change is non-trivial, and a compromise in late voting stage, it is marked in a different blue.< / li >
< li > 20100525: Two detail changes from Tom Trnka.< / li > < li > 20100525: Two detail changes from Tom Trnka.< / li >
< li > 20100513: With some consensus from policy group, changed the text in 2.2.1.1 to transfer the detailed handling of pre-purchase risks to SM.< / li > < li > 20100513: With some consensus from policy group, changed the text in 2.2.1.1 to transfer the detailed handling of pre-purchase risks to SM.< / li >
< li > 20100512: Some clarifying tweaks to semantics supplied by Philipp G, added Arb as a role in 9.1.1. but not as critical role. < / li > < li > 20100512: Some clarifying tweaks to semantics supplied by Philipp G, added Arb as a role in 9.1.1. but not as critical role. < / li >
@ -112,13 +123,14 @@ These roles are defined as:
< / p > < / p >
< ul > < li > < ul > < li >
Access Engineers
Access Engineer
< / li > < li >
< / li > < li >
Systems Administrators
Systems Administrator
< / li > < li >
< / li > < li >
Support Engineers
Support Engineer
< / li > < li >
< / li > < li >
Software Assessors (including Application Engineers)
Software Assessor
< span class = "strike2" > (including Application Engineers)< / span >
< / li > < / ul > < / li > < / ul >
< h4 id = "s1.1.2" > 1.1.2. Out of Scope < / h4 > < h4 id = "s1.1.2" > 1.1.2. Out of Scope < / h4 >
@ -172,12 +184,12 @@ deriving from the above principles.
See § 1.1.
See § 1.1.
< / dd > < / dd >
< dt > < i > Application Engineer< / i > < / dt > < dt > < i > < span class = "strike2" > < / i > < / span > < / dt >
< dd > < dd >
A Member who manages the critical application,
< span class = "strike2" >
including installing them on the critical system,
including installing them on the critical system,
final testing, emergency patching, and ad hoc scripting.
final testing, emergency patching, and ad hoc scripting.
See § 7.2.
See § 7.2.< / span >
< / dd > < / dd >
< dt > < i > Software Assessor< / i > < / dt > < dt > < i > Software Assessor< / i > < / dt >
@ -388,7 +400,7 @@ one Systems Administrator present.
< p > < p >
There is no inherent authorisation to access the data.
There is no inherent authorisation to access the data.
Systems Administrators
Systems Administrators
< span class = " change "> < span class = " strike2 ">
and Application Engineers
and Application Engineers
< / span > < / span >
are authorised to access
are authorised to access
@ -544,12 +556,17 @@ independent of filed disputes.
< h3 id = "s3.3" > 3.3. Application < / h3 > < h3 id = "s3.3" > 3.3. Application < / h3 >
< p > < p class = "strike2" >
Systems administration is to provide a limited environment
Systems administration is to provide a limited environment
to Applications Engineers in order to install and maintain
to Applications Engineers in order to install and maintain
the application.
the application.
< / p > < / p >
< p class = "change2" >
Requests for ad hoc queries over the application database for business
or similar purposes must be approved by the Arbitrator.
< / p >
< h3 id = "s3.4" > 3.4. Access control < / h3 > < h3 id = "s3.4" > 3.4. Access control < / h3 >
< p > < p >
@ -595,21 +612,21 @@ authorisations on the below access control lists
< td > < span class = "change" > Systems Administration team leader< / span > < span class = "strike" > Board of CAcert (or designee)< / span > < / td >
< td > < span class = "change" > Systems Administration team leader< / span > < span class = "strike" > Board of CAcert (or designee)< / span > < / td >
< / tr > < tr >
< / tr > < tr >
< td > SSH Access List< / td >
< td > SSH Access List< / td >
< td > Systems Administrators < span class = " change "> and Application Engineers < / span > < / td >
< td > Systems Administrators < span class = " strike2 "> and Application Engineers < / span > < / td >
< td > Unix / account / shell level< / td >
< td > Unix / account / shell level< / td >
< td > includes by default all on Physical Access List < / td >
< td > includes by default all on Physical Access List < / td >
< td > Systems Administration team leader< / td >
< td > Systems Administration team leader< / td >
< / tr > < tr >
< / tr > < tr >
< td > Repository Access List< / td >
< td > Repository Access List< / td >
< td > Application Engineers< / td >
< td > < span class = "change2" > Software Assessors< / span > < span class = "strike2" > < / span > < / td >
< td > change the source code repository and install patches to application< / td >
< td > change the source code repository < span class = "strike2" > < / span > < / td >
< td > exclusive with Access Engineers and Systems Administrators< / td >
< td > exclusive with Access Engineers and Systems Administrators< / td >
< td > software assessment team leader< / td >
< td > software assessment team leader< / td >
< / tr > < tr >
< / tr > < tr >
< td > Support Access List< / td >
< td > Support Access List< / td >
< td > Support Engineer< / td >
< td > Support Engineer< / td >
< td > support features in the web application< / td >
< td > support features in the web application< / td >
< td > < span class = "change" > exclusive with Access Engineers and Systems Administrators; < / span > includes by default all < span class = " change"> Application Engineers< / span > < span class = "strike" > Systems Administrators < / span > < / td >
< td > < span class = "change" > exclusive with Access Engineers and Systems Administrators< / span > < span class = " strike2"> includes by default all Application Engineers Systems Administrators < / span > < / td >
< td > < span class = "strike" > Systems Administration< / span > < span class = "change" > Support< / span > team leader< / td >
< td > < span class = "strike" > Systems Administration< / span > < span class = "change" > Support< / span > team leader< / td >
< / tr > < / table > < / tr > < / table >
@ -659,17 +676,26 @@ must be strictly controlled.
Passphrases and SSH private keys used for entering into the systems
Passphrases and SSH private keys used for entering into the systems
will be kept private
will be kept private
to CAcert sysadmins
to CAcert sysadmins
and Application Engineers
< span class = "strike2" > < / span >
in all cases.
in all cases.
< / p > < / p >
< h5 id = "s4.1.1.1" > 4.1.1.1. Authorized users < / h5 > < h5 id = "s4.1.1.1" > 4.1.1.1. Authorized users < / h5 >
< p > < p >
Only System Administrators
Only System Administrators
and Application Engineers
< span class = "strike2" > < / span >
designated on the Access Lists
designated on the Access Lists
in § 3.4.2 are authorized to access accounts,
in § 3.4.2 are authorized to access accounts.
unless specifically directed by the Arbitrator.
< span class = "change2" >
System Administration team leader may temporarily permit Software
Assessors access to the application via SSH in order to do advanced
debugging, or as
< / span >
< span class = "strike2" > Other< / span >
specifically directed by the Arbitrator.
< / p >
< p >
< / p > < / p >
< h5 id = "s4.1.1.2" > 4.1.1.2. Access to Systems< / h5 > < h5 id = "s4.1.1.2" > 4.1.1.2. Access to Systems< / h5 >
@ -951,10 +977,11 @@ Software assessment is not primarily tasked to write the code.
In principle, anyone can submit code changes for approval.
In principle, anyone can submit code changes for approval.
< / p > < / p >
< p > < p class = "q" > Moved to SM 3.3 < / p >
< p class = "strike2" >
The primary tasks for Application Engineers are:
The primary tasks for Application Engineers are:
< / p > < / p >
< ol > < li > < ol class = "strike2" > < li >
Installing signed-off patches,
Installing signed-off patches,
< / li > < li >
< / li > < li >
Verifying correct running,
Verifying correct running,
@ -1032,7 +1059,8 @@ any Member that requests it.
< h3 id = "s7.6" > 7.6. < span class = "strike" > Handover< / span > < span class = "change" > Production< / span > < / h3 > < h3 id = "s7.6" > 7.6. < span class = "strike" > Handover< / span > < span class = "change" > Production< / span > < / h3 >
< p class = "change" > < p class = "q" > Blank, now refer to SM 7.6 < / p >
< p class = "strike2" >
The Application Engineer is a role within Software Assessment
The Application Engineer is a role within Software Assessment
team that is approved to install into production the
team that is approved to install into production the
patches that are signed off.
patches that are signed off.
@ -1048,11 +1076,13 @@ which then must be back-installed into the repositories.
< / span > < / span >
< / p > < / p >
< p class = "change" > < p class = "q" > this below moved to § 3.3 < / p >
< p class = "strike2" >
Requests to Application Engineers for ad hoc queries over the database for business or similar purposes must be approved by the Arbitrator.
Requests to Application Engineers for ad hoc queries over the database for business or similar purposes must be approved by the Arbitrator.
< / p > < / p >
< p > < p class = "strike2" >
See § 3.3.
See § 3.3.
< / p > < / p >
@ -1145,9 +1175,9 @@ or Case Managers.
< ul > < ul >
< li > Access Engineer: responsible for controlling access to hardware, and maintaining hardware. < / li >
< li > Access Engineer: responsible for controlling access to hardware, and maintaining hardware. < / li >
< li > System a dministrator: responsible for maintaining core services and integrity. < / li >
< li > System A dministrator: responsible for maintaining core services and integrity. < / li >
< li > Software Assessor: maintain the code base and confirm security ("sign-off") of patches and releases.< / li >
< li > Software Assessor: maintain the code base and confirm security ("sign-off") of patches and releases.< / li >
< li > Application Engineer: install application updates and confirm basic working.< / li >
< li class = "strike2" > Application Engineer: install application updates and confirm basic working.< / li >
< li > Support Engineer: human interface with users.< / li >
< li > Support Engineer: human interface with users.< / li >
< li > Team leaders: coordinate with teams, report to Board.< / li >
< li > Team leaders: coordinate with teams, report to Board.< / li >
< li > All: respond to Arbitrator's rulings on changes. Respond to critical security issues. Observe.< / li >
< li > All: respond to Arbitrator's rulings on changes. Respond to critical security issues. Observe.< / li >
Ian Grigg
14 years ago