📝
How we work (org handbook)
  • Home
  • Onboarding
  • Code of Conduct
  • Project Management
    • Project Initiation
      • Documentation and Checklists
      • Aligning with OpenUp's Mission and Vision
      • Getting Partners and Stakeholders on Board
      • Defining Project Parameters and Limitations (scope)
      • Product Management during the Project Initiation Phase
      • DRAFT COPY
    • Project Implementation
      • Project Planning
      • Agile, Scrum, and the Lean Startup Method
      • Stakeholder Management
      • Meetings
      • Communication
      • Team Management
      • Roles and responsibilities
    • Project Close-out
      • The Close-Out Report
      • Retrospective
      • Donor thanks
      • One page write-up
      • Blog article
      • Maintenance plan (if necessary)
    • Project overviews
      • Citizen Engagement App
      • Our Project List
      • Local Gov Programme
        • Business Portal
      • Tech Infrastructure
    • Project boards
  • How we work
    • Preferred tools
      • Tool sponsorships
    • Budgets & Finance
      • Taxes
        • VAT
        • PAYE and UIF
        • Workmen's compensation
        • Annual PAYE reconciliation
      • The Types of Budgets Used By OpenUp
      • When to Start Planning a Budget
      • Planning a Budget
      • How to Create a Budget
      • How to Spend a Budget
      • How to Adjust a Budget
      • Expense claims
      • Invoicing OpenUp
      • Capturing and approving invoices for payment
      • Allocating AWS costs to a project
      • Allocating Upwork transactions to projects
      • Software, Services and Hosting
      • Downloading Webflow invoices
    • Tool Development
      • Coding Roles
      • Tools For Coding
      • DESIGN
      • The Design Process: Step-By-Step
      • Tools Used In The Design Process
      • Quality Metrics: Design
      • Webflow export rules
      • CONTENT, WRITING, AND MEDIA
      • Creating Substance: The Role of Content in Tool Development
      • Creating Content: Step-By-Step
      • What Goes In Social Media
      • TRAINING & EVENTS
      • Event Planning
      • When, Where, and How to Hold a Training Session
      • Tools Used By Training and Events
      • User testing
      • Making government accessible
    • Outsourcing & Contracting
      • Why do we contract external workers?
      • Platforms We Use To Find Contractors
      • Contracting people for work
      • UpWork Contracting
    • Monitoring & Evaluation
    • Communications & Branding
      • Resizing images
      • Creating an email newsletter
      • Posting a blog
      • Sharing a blog post
      • Marketing Q &A
      • Official communications
      • Tracking app and campaign web traffic sources
    • Human Resources
      • Recruitment
      • Recruitment template: Project lead developer
      • DRAFT Recruitment template: Product owner
      • One-on-ones (1:1s)
    • Organisational Decision Records
      • ODR1: Organisational Decision Records
      • ODR2: Building dynamic web frontends using Webflow
    • Personal Information
    • Password management
  • Tech
    • Development guidelines
    • Preferred tech stack
    • Webflow project guide
      • How to build pages in Webflow so that content can be added using Javascript
    • Setting up a new server
    • Hosting on dokku
    • CDN in front of S3
    • Setting up a new Domain
    • CKAN
  • Product management
    • Our product design process
  • Codebridge
    • Codebridge - the space
Powered by GitBook
On this page
  • Sharing passwords
  • Adding users
  • Credentials used by our software

Was this helpful?

  1. How we work

Password management

PreviousPersonal InformationNextDevelopment guidelines

Last updated 2 years ago

Was this helpful?

We prefer not using shared accounts where possible. We use shared accounts when the plan we can afford to use of a given service does not allow individual accounts for enough users to be practical for our needs.

You should definitely get a dedicated account for any django/flask app we develop.

Use a password manager. We recommend that you use bitwarden or your favourite password manager for managing your own passwords of services you use in your work at OpenUp.

A password that is reused between services, or that is a small variation of a password you use in another service, is not secure.

We owe it to our beneficiaries, clients and reputation as an organisation that can navigate the world of technology to use secure passwords.

Secure passwords are complex randomly-generated text which you can't remember (but use a password manager to look up), or unique complex text like the first letter of each word (or the full words!) of a long sentence. So just use a password manager and use a long phrase for your password in it.

Sharing passwords

We use BitWarden for shared password management.

We try to follow the principle of least privilege, meaning you should only have access to passwords you actually need. To avoid creating multiple shared accounts on the same service, please add any accounts that relate to your unit's work to the table, and please document when it is the preferred tool for the job in the table above it. Before creating a new account, check if there is an existing account you can get access to and reuse. Duplicate accounts can waste money and effort.

We organise shared passwords according to:

  • unit - for passwords shared with everyone in that unit, e.g. comms, dev, finance

  • project - for passwords shared with everyone in the project

Bitwarden can "nest" collections using forward-slashes (/) in the name, and creating a collection for each level in the hierarchy.

Collection permissions are not inherited. Collection nesting is just to visually group related collections.

Giving someone access to the projects collection does not mean they have access to all collections under projects.

When adding items, remember to add them to the relevant collection. The collections can be edited later. An item can be in multiple collections, e.g. the project, as well as the finance collection to give the finance team access to invoices.

Adding users

Invite new users to the organisation. Once they've accepted, they will have an account and can store passwords for themselves, but they aren't part of the organisation yet.

These users will be listed as accepted in the organisation user list. You will need their bitwarden fingerprint.

They can find their fingerprint on their user profile in BitWarden. It is not secret.

Once they are confirmed, add them to any collections they need access to by clicking on their name and checking the relevant collection boxes.

Everyone should have access to

  • project

  • unit

and then any specific units and projects they need to access.

Credentials used by our software

Developers will need to deploy credentials via Ansible.

Secure Note type items seem to work best for these kinds of credentials. Use a custom text field for the non-sensitive values, and a hidden field for API keys, passwords and other sensitive values.

We usually organise these credentials in an environment collection under the relevant project collection, and named after the service, e.g. under project/municipal-money we have prod, staging and sandbox matching the environment names used in the ansible inventory. Ansible can then use this name to select the right credential for each environment.

Make sure the item is named consistently across environments so that the same service can be accessed using only an environment name variable in the collection name.

"{{ lookup('bitwarden', 'POSTGRES', field='fields.hostname', collection='project/municipal-money/' ~ env_name) }}"

You can accept them into the organisation by confirming their Bitwarden after selecting Confirm in the menu next to their name.

fingerprint
Service Accounts
After this, it will ask you to confirm their Bitwarden fingerprint.