Skip to content

Authentication and authorization

Jump to bottom
Jonathan Stegall edited this page Jul 19, 2024 · 17 revisions

This page is mainly intended for team members who need to understand how our system is designed to work, although it could also be of interest to anyone reusing the codebase for a new project.

Authentication

We use two authentication methods:

  1. CMS Identity Management (IDM), which we tend to call "EUA" informally. This is a single-sign-on system built on Okta, and it includes multi-factor authentication.
  2. Django user authentication, which is a simple username-and-password system.

Users in our production environment use CMS IDM. Team members use Django user authentication for development purposes.

Dev info:

Separate from user authentication and authorization, our dev and val environment URLs (including experimental branches) require basic HTTP auth as a simple gate to prevent use of non-prod versions of the site outside of the development team. We have environment variables HTTP_AUTH_PASSWORD and HTTP_AUTH_USER to configure those credentials.

How to log in

  1. CMS IDM: /login/ (this is configured by the LOGIN_URL parameter)
  2. Django authentication: /admin/

Authorization

We have four roles: reader, editor, manager, admin.

Django includes a "groups" feature for managing permissions. We have one group for each role.

CMS IDM is connected to a "job code" system that manages authorization: individual users request a specific job code appropriate to their role for each CMS application they use. We have four job codes per IDM environment, one for each role. Each job code is connected to a Django group. We have details about job codes on the CMS side (requires login) and about roles and permissions on the Django side.

The expected process for an IDM user is:

  1. Have an IDM account
  2. Request an eRegs job code within the CMS system
  3. Job code is approved
  4. Log into eRegs
  5. eRegs automatically creates the user with the appropriate group according to their job code

For Django user authentication for team members, we create users, manage permissions, and deactivate users by hand.

Environments

See Team developer guide (requires login) for all URLs registered in Okta.

Configuration for each environment is controlled by the DJANGO_SETTINGS_MODULE environment variable. Local is cmcs_regulations.settings.local, and everything else is cmcs_regulations.settings.deploy.

Methods supported:

  • Dev local
    • Django auth
  • Experimental branches
    • Django auth
    • One branch is configured to enable Test IDM
  • Dev environment
    • Django auth
    • Test IDM
  • Val environment
    • Django auth
    • Val (Impl) IDM
  • Prod environment
    • Django auth
    • Prod IDM

Please note that all pages on this GitHub wiki are draft working documents, not complete or polished.

Our software team puts non-sensitive technical documentation on this wiki to help us maintain a shared understanding of our work, including what we've done and why. As an open source project, this documentation is public in case anything in here is helpful to other teams, including anyone who may be interested in reusing our code for other projects.

For context, see the HHS Open Source Software plan (2016) and CMS Technical Reference Architecture section about Open Source Software, including Business Rule BR-OSS-13: "CMS-Released OSS Code Must Include Documentation Accessible to the Open Source Community".

For CMS staff and contractors: internal documentation on Enterprise Confluence (requires login).

Overview

Data

Features

Decisions

User research

Usability studies

Design

Development

Clone this wiki locally