This chapter serves as a training guide for people who will be administering and managing trust groups using a Trident portal system. It includes activities such as setting trust group policies for vetting, vouching, and idle timeouts, resetting user passwords, adding users manually, and more. Only trust group administrator members are allowed to view or manage these tasks.
There is one user-related activity that only a trust group administrator can manage: initiating the reset of a password for another user (Figure userAdminPasswordReset
). Make sure to confirm via the toggle before clicking the Request Password reset
button.
An admin can only begin the process for resetting a user's password, she cannot do it directly. Each user was initially nominated to the trust group before being allowed membership in the trust group. The nominator of a user is part of the process to reset a user's password. As such, because none of the users in our example group were nominated (nor have any of the users uploaded PGP keys), this activities fails (Figure userAdminPasswordResetFail
). Once all members have uploaded keys and there are members who have been nominated, this activity can continue.
Get PGP keys uploaded and add a member through nomination so this activity can be fully documented?
This section describes the group-related activities manageable only by trust group administrators. These activities include adding new mailing lists to a trust group, adding a new trust group, updating the group's settings and adding modules to the group, and a couple member-related actions.
When logged in as a trust group administrator, the Group
home page looks like what is shown in Figure groupHomePage
).
To add a new trust group, click the Add Group
link in the second row at the top of the page (Figure groupAddNewGroup
). This opens a new page with a field for the new trust group's name. Fill in the field, then click the Create
button.
This opens a new page with settings for the new group (Figure groupNewGroupSettingsTop
). Configure these settings as needed and, if any modifications are made, click the Update Group
button at the bottom of the page (Figure groupNewGroupSettingsBottom
).
Returning to the Group
home page, the new group will be added in the list of links to current trust groups of which the current user is a member (Figure groupHomePageUpdated
).
Once a trust group exists, changes can be made to it or to its members. A specific group's home page might look like the page shown in Figure groupMain
.
This page contains almost exactly the same set of links on the page itself or tabs in the second row at the top of the page. The Settings
link and tab can now be seen. Group settings include vouching policies, timeout policies, idle policies, PGP requirement policy, and including additional modules (not yet added in Figure groupSettingsTop
).
There are three additional modules that are option to the use of a Trident portal system and may be added at any time: the Wiki module, the Files module, and the Calendar module.
Note
At this time, the Calendar module seems to still be under development. Toggling "on" the Calendar module in group settings does not add a Calendar link or tab. We are reporting this to the Trident developers.
To view potential modules to add, go to the current trust group's Settings
page. If a module has not been added, its toggle will not be in the "on" position (highlighted and the toggle moved to the right), as can be seen in the page shown in Figure groupModulesAddOff
.
To add modules, toggle each desired module to the "on" position as shown in Figure groupModulesAddOn
.
Make sure to click the Update Group
button at the bottom of the Settings
page. From the Settings
page, links for the newly-added modules will appear in the second row of links at the top of the page, as can be seen in the page shown in Figure groupModulesAdded
. Returning to the group's home page would show links for the modules in the list of links.
The Member
page changes slightly when a user has trust group administration privileges (Figure groupMemberActions
). A new column is added, Actions
, to the list of trust group members and information. These actions allow the administrator to block or unblock a member and demote or promote a group administrator. These are accomplished through the buttons found in the Actions
column.
Thes actions (blocking/unblocking and demoting/promoting) are also available on each trust group member's profile. Click the member's link from the list on the Members
page to go to the member's profile (Figure groupMemberProfileTop
).
Scroll down towards the bottom of the profile until just before the vouching section of the profile. There is a section titled Admin functions
for a given user. This section contains the same buttons to block or unblock and demote or promote as can be found in the Actions
column on the member page (Figure groupMemberProfileBottom
).
Finally, trust group administrators can add and delete mailing lists. To see a list of current mailing lists, from a trust group's main page, navigate to the Mailing List
page using either the link on the page or the tab in the second row at the top of the page. The list can be seen on the page shown by Figure groupMailingListList
.
Now, the second row of tabs at the top of the page has changed to just one, New Mailing List
. Click this tab to go to a new page to add a new mailing list. Fill in a name for the mailing list in the required field as shown in Figure groupMailingListNewList
. Then click the Create
button.
Clicking the Create
button immediately opens the Settings
page (Figure groupMailingListSettings
) for the new mailing list. Modify the settings as needed, and click the Update Configuration
button.
Returning to the Mailing List
home page, the new mailing list has been added to the list, as can be seen in the page shown by Figure groupMailingListUpdatedList
.
A Settings
page is available for all mailing lists. In the list on the Mailing List
page (see Figure groupMailingListUpdatedList
), there are links in the Shortname
column. Clicking this link opens a new page with a list of current mailing list members and tabs in the second row at the top of the page (Figure groupMailingListMembers
) for the Settings
page (Figure groupMailingListSettings
), to Subscribe
or Unsubscribe
the current user to or from the mailing list, and to download PGP keys for the current mailing list.
Click the Subscribe
or Unsubscribe
tabs to subscribe or unsubscribe the current member from the current mailing list. Click the PGP Key
tab to download the PGP key for the current mailing list.
These actions can also be completed from the Mailing List
home page (Figure groupMailingListActivitiesList
).
For the desired mailing list, click the link PGP Key
in the PGP
column to download the PGP key for that mailing list. To unsubscribe or subscribe to a mailing list, click the available button in the Action
column.
The sections covers activities that can only be accomplished via the CLI
page. This page utilizes a command line interface through which the databases holding information of the Trident system may be manipulated. These activities include adding a new user to the Trident system, removing a member from a trust group, and removing a mailing list from a trust group.
Click the link on the user's home page or the tab in the second row at the top of the page to go to the CLI
page. A new page will open with a field to enter the command, simulating a command, and the larger, top box returns the results of the command executed (see Figure cliHomePage
` which shows the results of running "help" via the command line interface).
Figure cliHomePage
shows help for using the Trident CLI when a user is not logged in as a sysadmin. Each top level command indicates the domains of attributes which can be manipulated via the CLI: user
, to manipulate user information; group
, to manipulate trust group information, ml
to manipulate mailing list information, and system
, to manipulate system information.
Figure cliUserGroupHelp
shows the results from running the command group help
.
A user must become a sysadmin via the CLI to gain access to sysadmin CLI commands; being logged in as a sysadmin in the webapp does not allow sysadmin access via the CLI. To obtain sysadmin rights, use the command system swapadmin
, as shown in Figure cliSwapadmin
.
Once logged in as a sysadmin, more commands are available. See Figure cliAdminGroupHelp
and compare with Figure cliUserGroupHelp
for the additional commands available in the group
domain.
Trust group admins should use the web app interface for as many tasks as possible. However, there are some tasks which are not able to be accomplished with the web app, and these must be handled using the CLI
page. One of those tasks is adding a new user to the system.
All users must be added to the Trident system before they can become members of any trust groups. Help for the user
domain can be seen in Figure cliAdminUserHelp
.
To add a user, use the command user add new <username> <email>
where <username>
is a username for the user and <email>
is a valid email address the user owns. See Figure cliAdminUserAdd
.
The user can always change their username using the Username
page in the User
perspective of the portal. See Figure userUsername
in Section userManagement
. The email must be the correct, valid email address to which the user wishes to receive communications regarding initial Trident use. Email addresses can be changed, added, or deleted once the user has Trident access. See the Section userEmailManagement
.
Additionally, a trust group admin must set the user's initial password. The user can change their password via the Password
page in the User
perspective (see Section userPwdChange
`). The initial password must be set by the administrator and then passed along to the user either through out-of-band means or via an encrypted message.
To set a user's password via the CLI, use the command user password set portal <username> <password>
in the field simulating the command line on the CLI
page (Figure cliAdminPasswordSet
).
The user will now show up in a trust group administrator's list of users found on the User
home page (see Figure cliAdminNewUserList
). The user does not yet exist in the trust group. For the user to become a member of the trust group, follow the trust group's policies for becoming a member (nomination, vouches, etc.).
There are instances where a user must be removed from a trust group. Members can be blocked
via the web application's Group
perspective (see Figure groupMemberActions
in Section adminGroupActivities
). This does not remove a member completely from the trust group, nor does it remove a member as a user from the Trident system itself. These actions must be taken via the CLI.
To remove a member from a trust group, use the command group member remove <group> <username>
in the field simulating the command line, where <group>
is the trust group from which the user should be removed and <username>
is the username for the user (Figure cliAdminRemoveMember
).
To remove a user from the Trident system, use the command user delete <username>
(Figure cliAdminRemoveUser
).
Finally, trust group administrators are responsible for the group's mailing lists. Sometimes, lists must be deleted. There is no way to remove a list via the web application Mailing List
home page (see Figure groupMailingListList
in Section adminGroupActivities
). Thus, the removal must be accomplished via the CLI.
To see what subcommands are available in the ml
domain, use the command ml help
(Figure cliAdminMailingListHelp
`).
To see a current list of available mailing lists, use the command ml list <group>
where <group>
is the name of the trust group from which to list available mailing lists (Figure cliAdminMailingListList
).
To remove a mailing list, use the command ml remove <group> <ml>
where <group>
is the trust group from which the mailing list is to be removed and <ml>
is the name of the mailing list to be removed (Figure cliAdminMailingListRemove
).
The list of mailing lists on the web app's Mailing List
home page will then be updated (Figure cliAdminMailingListUpdate
).
PGP keys are also manageable via the CLI's ml
domain. If PGP keys for a mailing list are compromised for some reason, they need to be regenerated. Trust group administrators can retrieve both public and secret PGP keys, as well as regenerate new ones. See Figure cliAdminMailingListHelp
to see the ml
subcommands and the necessary parameters. Trust group admins should then notify all members of the change of keys so the members can go retrieve the new keys (see Section userPGPKeysManagement
).
To log out of the CLI as a trust group admin, run the command system swapadmin
again (Figure cliUserSwapadmin
).
This concludes the activities manageable by a trust group administrator. To see tasks for regular members of trust groups or for system administrators, please see the other chapters in this document (Section tgMemberActivities
and Section systemAdministration
, respectively).