(create_users_in_shm)=

# Create users in SHM

> This task is the responsibility of {ref}`role_tresa`.

Once a user creation request has been received by the {ref}`role_tresa`, they should follow the Data Safe Haven [user management guide](https://data-safe-haven.readthedocs.io/en/v4.2.2/roles/system_manager/manage_users.html) to create users in the SHM.

Users should be added to the SRE of their project, which should then enable them to setup an account and login via the url:

> `https://<SRE ID>.<SHM ID>.turingsafehaven.ac.uk/`

The {ref}`role_project_team` will then {ref}`invite_users_to_login`.

(add_users_in_bulk)=

## Add users in bulk

For Data Study Group (DSG) projects, a large number of users may need to be added in one go, which can be a very long manual process.

There is a CLI tool which can be used to automate this process:

<details>
<summary>
Add users in bulk with CLI tool
</summary>

Process the users spreadsheet for use in DC1.

1. Download a copy of the users spreadsheet kept on Sharepoint at `project_sres -> YYYY-MM-dsg-general -> user-information` (or ask the project/DSG team where this is)

2. Move the spreadsheet into the following directory in your local clone of the `trusted-research` repo: `process_users_cli/<my-spreadsheet>.xlxs`

3. If not already in the `process_users_cli` directory:

   ```shell
   cd process_users_cli
   ```

   You can check by running:

   ```shell
   pwd
   ```

4. [Mac users] Create virtual environment:

   ```shell
   python -m venv .venv
   ```

5. [Mac users] Activate virtual environment:

   ```shell
   source .venv/bin/activate
   ```

6. Install requirements:

   ```shell
   pip install -r requirements.txt
   ```

### Usage

- Explore the CLI api with:

  ```shell
  python -m userprocessor  --help
  ```

- Explore the `process` command with:

  ```shell
  python -m userprocessor process --help
  ```

- Explore the `validate-phone-number` command with:

  ```shell
  python -m userprocessor validate-phone-number --help
  ```

- Usage exmaples:

  ```shell
  python -m userprocessor process  users.xlsx
  ```

  with all optional parameters:

  ```shell
  python -m userprocessor process -o dsg_01_05_23.csv -r dsg_01_05_23_report.txt -rg 'MYDSG Research Users' may_users.xlsx
  ```

### Creating Users in `DC1`

1. Create a csv in the `DC1` and give it name like `dsg_[mm]_[yyyy]_users.csv`.
   Copy the output csv contents into this file.

2. Run `CreateUsers.ps1` with the csv (see [DSH docs](https://data-safe-haven.readthedocs.io/en/v4.2.2/roles/system_manager/manage_users.html#create-new-users)) - many are created already, this is fine.

3. Users are added to the `Sandbox` SRE by default, unless a different Research Group is specified.
   Further [changes to user access](https://data-safe-haven.readthedocs.io/en/v4.2.2/roles/system_manager/manage_users.html#modifying-user-sre-access) can be carried out later.

4. Add the `SamAccountName` usernames to the original DSG/project team spreadsheet
    - most are `firstname.surname`, but a few will have their username shortened.

### Testing

Run tests:

```shell
python -m pytest tests/
```

</details>

(current_shm)=

## Current Turing SHM

**Last updated 31/08/2023:**

The `<SHM ID>` of the SHM currently set up is `prod4`.

Configuration details are accessible to the {ref}`role_tresa` in [this issue](https://github.com/alan-turing-institute/trusted-research/issues/121) on the private `trusted-research` GitHub repo.

(sandbox)=

## Sandbox SRE

Sometimes it may be helpful to set up a Sandbox SRE in advance of users getting access to the project SRE, especially where the users need a bit of practice with a Linux remote desktop.

To set up a Sandbox SRE:

1. Follow the {ref}`build_tre` in the same way as you would for a project SRE

    - It might be simplest to set the `"tier"` to `"0"`, but it some cases you may want a higher tier Sandbox to give the users the experience with more stringent security controls

2. Clone the `https://github.com/alan-turing-institute/DSGaiuk2022` repo to your local computer

3. Use Azure Storage Explorer to {ref}`perform ingress <perform_data_ingress_tresa>` of the `DSGaiuk2022` repo

4. If you wanted to check that the ingress worked, add your own user account to the Sandbox SRE security group and login to inspect the contents of the `/data` folder (consult [user management guide](https://data-safe-haven.readthedocs.io/en/v4.2.2/roles/system_manager/manage_users.html) if you don't remember how)

5. Follow the guidance above on {ref}`inviting users to log in <invite_users_to_login>`

Once users are logged in, they can explore the Sandbox and familiarise themselves with working in the SRE (and more generally in a Linux-based remote desktop).
There are several thing users could do to get started, for example:

1. Practice logging into the available GitLab and committing code to a repository

2. Copy the `DSGaiuk2022` repo from `data` to their home folder and attempt to run the contained notebook using Python (see `https://github.com/alan-turing-institute/DSGaiuk2022/tree/main#running-the-notebook-on-your-own-computer`)

    - Pose the question to the users: Can you find out what the average monthly concentration of CO2 levels were at the Mauna Loa observatory, in parts per million (PPM), in March 1958?

### Removing Sandbox users

Unlike the project SREs, "Sandbox" will not be torn down at the end of a project, so any users added should be removed after they no longer require access. Follow the [Data Safe Haven Guide](https://data-safe-haven.readthedocs.io/en/v4.2.2/roles/system_manager/manage_users.html#modifying-user-sre-access) which explains how to remove users from an SRE.