(tresa_onboarding)=

# Onboarding checklist

```{important}
- The Safe Haven Management environment (SHM) used in production has the SHM ID: `prod4`.
- When new TRESA members are onboarding, an existing member should set up a Secure Research Environment (SRE) on the production SHM for testing, e.g. called `sandbox`

*Last updated 1st September 2023*
```

## Pre-requisite steps

- Ensure you can connect to the Turing VPN via GlobalProtect (see Settings and choose the `vpnr.turing.ac.uk` portal)
  - If you don't have this installed or run into issues, email `ITServices@turing.ac.uk`
- Set up your [Turing MS Azure account](https://mathison.turing.ac.uk/Interact/Pages/Content/Document.aspx?id=2432) following the steps on Mathison if don't already have one
- Fork the [Data Safe Haven GitHub repo](https://github.com/alan-turing-institute/data-safe-haven) and clone it to your computer
- Ask an existing member of TRESA to give you access to [TRESA Sharepoint](https://thealanturininstitute.sharepoint.com/sites/tresa/SitePages/Home.aspx) (it's probably a good idea to bookmark this)
- Ask an existing member of TRESA to add you to the Azure `Safe Haven Production Admins` group on Azure after they are satisfied you have completed required training (see header below)
- Ask an existing member of TRESA to give you access to the `trustedresearch@turing.ac.uk` inbox.
  - The existing member of TRESA should email `ITServices@turing.ac.uk` to request this
  - Once the existing TRESA member confirms you are added, in Outlook go to `Open -> Shared Mailbox` and search for "DSH operations team", then click `Add`.
- Ask an existing member of TRESA to give you access to the [trusted-research](https://github.com/alan-turing-institute/trusted-research/settings/access) GitHub repo
- Check you can view (and add to) the following (bookmark these):
  - SRE project board: accessible at `https://github.com/orgs/alan-turing-institute/projects/25/views/1?layout=board`
  - Management project board: accessible at `https://github.com/orgs/alan-turing-institute/projects/52/views/1?layout=board`
- Install the following in the way described in the [DSH SHM pre-requisites](https://data-safe-haven.readthedocs.io/en/v4.2.2/deployment/deploy_shm.html#prerequisites) (don't follow the rest of this guide - the SHM is already set up)
  - Powershell and the required modules
  - Microsoft Remote Desktop
  - OpenSSL

## Required training and user account details

As an admin, you will have access to sensitive data held within the TREs deployed to production at the Turing.
As such, we require that you complete the trainings needed to handle any kind of data that might include.
In addition, it's useful to have set up non-privileged user account that you can use to log into deployed environments for testing purposes.

- Add your details to the `Documents` -> `information_governance` -> `all_users_and_projects` spreadsheet in the TRESA Sharepoint, and assign yourself an `admin` role.
  - Complete all of the training guides below, and save your certificates to the `information_governance` -> `TRESA certificates` folder:
    - {ref}`organisational_training`
    - {ref}`elfh_training`
    - {ref}`mrc_training`
  - Update the `all_users_and_projects` spreadsheet with the completion dates of these trainings
  - Upload the certificates to the `information_governance` -> `TRESA certificates` folder
- Ask an existing member of TRESA to [create a user account](https://data-safe-haven.readthedocs.io/en/v4.2.2/roles/system_manager/manage_users.html#create-new-users) for you in the production SHM and to add you as a research user to a test SRE (e.g. `Sandbox`)
  - For this, they will use the details you added to the `information_governance` -> `TRESA_prod4_users` spreadsheet in the TRESA Sharepoint
- Follow the [user guide](https://data-safe-haven.readthedocs.io/en/v4.2.2/roles/researcher/user_guide.html) to set up your account
- Check you can log into the SRE

(shm_setup)=

## Getting set up with the Safe Haven Management Environment

- Ask an existing TRESA member to [create a Microsoft Entra ID admin account](https://data-safe-haven.readthedocs.io/en/v4.2.2/deployment/deploy_shm.html#create-microsoft-entra-administrator-accounts) for you.
  - For this, you'll need to provide your phone number and institutional email address
- Activate your Microsoft Entra ID admin account in the same way as you did for your research user account, by following [the user guide](https://data-safe-haven.readthedocs.io/en/v4.2.2/roles/researcher/user_guide.html#password-and-mfa)
  - Go to the Azure portal and check you can log in with this account, in addition to your normal Turing email account
- Follow [Step 7: Configure VPN connection](https://data-safe-haven.readthedocs.io/en/v4.2.2/deployment/deploy_shm.html#configure-vpn-connection) of the Safe Haven SHM guide for the production SHM (`prod4`)
  - Then navigate to the **SHM primary domain controller** VM in the portal at `Resource Groups > RG_SHM_<SHM ID>_DC > DC1-SHM-<SHM ID>` and note the Private IP address for this VM
  - Next, navigate to the `RG_SHM_<SHM ID>_SECRETS` resource group and then the `kv-shm-<SHM ID>` Key Vault and then select secrets on the left hand panel and retrieve the following:
    - `<admin username>` is in the `shm-<SHM ID>-domain-admin-username` secret.
    - `<admin login> is the <admin username>` followed by the SHM AD domain: `<admin username>@<SHM domain>`.
    - `<admin password>` is in the `shm-<SHM ID>-domain-admin-password` secret.
  - Open Microsoft Remote Desktop and log into the SHM primary domain controller (`DC1-SHM-<SHM ID>`) VM using the private IP address, `<admin login>` and `<admin password>` that you obtained from the portal above.
    - Open Microsoft Remote Desktop and click Add Desktop / Add PC
    - Enter the private IP address of the VM that you need to connect to in the PC name field
    - Enter a name for the VM (`DC1-SHM-<SHM ID>`) in the Friendly name field
    - Click `Add`
    - Double click on the desktop that appears under Saved Desktops or PCs.
    - Use the `<admin username>` and `<admin password>` from above
  - You should then be logged into the `DC1` Windows VM (this is used for {ref}`user_management`)

## Create a test deployment and practice TRESA tasks

- Ensure you are set up on the production SHM (`prod4`) by following the steps above
- You should now be able perform all of the TRESA {ref}`tasks` during a project
- In particular, we suggest to practice doing the following:
  - {ref}`create_tre_github_issue` - use the same Azure Subscription for your SRE as the production SHM (`prod4`)
  - {ref}`build_tre`
  - {ref}`create_users_in_shm` - add your own user accont to the SRE you set up and check you can log in
  - {ref}`teardown_tre`
  - {ref}`delete_data`