GAWB-3166: Need a EULA in UI and API that users agree to #42
Comments
|
User Flow (# 3 is new functionality):
|
|
Communication to users: Before this functionality is released, Ilyana will write a blog post explaining that there’s going to be a click-through EULA, a summary of the terms, and reasoning for adding this now to FireCloud |
|
Thought of another wrinkle: make sure this works for Service Account users as well. |
irosenbe
changed the title
irosenbe
changed the title
|
snippet from slack
(I still think it is worth a little more pushing as it is a good answer for what we do about api-only access) |
|
Following TOS language should be included in the click-through: https://docs.google.com/document/d/1i1qUsrF8kI2iuR0cgsxIyicnmfoicKcqiK3M-Fjk8aQ/edit |
irosenbe
modified the milestones:
OKR: Security Alignment,
EPIC: End-User-License-Agreement
Requirements
Auditors have decided that we need an End User License Agreement for Firecloud/multi-tenant application.
[Bernick] My feeling from the government requirement is that the users sign some sort of EULA for using "the system". AoU will use FC, but the user is signing into AoU so it has it's own EULA.
But we should take that opportunity to have them sign a EULA for using FC if they want to use FC (not via AoU interface). Maybe have the AoU EULA cover a FC EULA too and this tick the database flag in FC for having signed it? Otherwise, yes when the user comes to FC independently of AoU, they'll have to sign it.
[Bernick] Yeah this whole thing is kind of up to you. It's a workflow issue.
If a user comes into firecloud via some "app", the app needs a EULA. Whether that EULA covers FC or not is something we don't have visibility into, but we should probably tick the FC "signed eula in FC box" if they come in through another app and just assume that app has a EULA?
But if they come in through FC (the app) or FC (the services), WE need to keep track of them signing a EULA.
IT IS contradictory and do not have good advice on it since most EULAs don't think about API driven software.
I think I'd say, "we should keep a record of any user using FC Services and Apps as having signed some sort of EULA". That might mean twice signing a EULA for a user.
Date: UI should be ASAP, the remainder can be staggered afterwards anytime this year
Notes:
Remember this isn’t purely a frontend. A user has to agree to a Eula somewhere in their experience. So AoU needs to put in a Eula and have that clicked through. So doesn’t Saturn. And if a user doesn’t use a GUI they shouldn’t get access to any Workbench backend until they can show them that they clicked through a Eula. So it’s not not just GUI thing. Though it CAN start that way. All of our services need the ability to see fin user clicked through a Eula at some stage during account creation.
https://nvd.nist.gov/800-53/Rev4/control/PL-4 this is the control we specifically have to fulfill: – it's (a,b,c,d) that this ticket
Control Description
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and
d. Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.
Outstanding Questions:
https://docs.google.com/document/d/12dGIFtn0xGE4Ld8E91mTShtXt3oEKLJgbw7lxPUrwqw/edit
Link to GAWB Ticket: https://broadinstitute.atlassian.net/browse/GAWB-3166?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel
The text was updated successfully, but these errors were encountered: