Onboarding checklist

Important

• The Safe Haven Management environment (SHM) used in production has the SHM ID: prod4.

• When new TRESA members are onboarding, an existing member should set up a Secure Research Environment (SRE) on the production SHM for testing, e.g. called sandbox

Last updated 1st September 2023

Pre-requisite steps

• Ensure you can connect to the Turing VPN via GlobalProtect (see Settings and choose the vpnr.turing.ac.uk portal)

  • If you don’t have this installed or run into issues, email ITServices@turing.ac.uk

• Set up your Turing MS Azure account following the steps on Mathison if don’t already have one

• Fork the Data Safe Haven GitHub repo and clone it to your computer

• Ask an existing member of TRESA to give you access to TRESA Sharepoint (it’s probably a good idea to bookmark this)

• Ask an existing member of TRESA to add you to the Azure Safe Haven Production Admins group on Azure after they are satisfied you have completed required training (see header below)

• Ask an existing member of TRESA to give you access to the trustedresearch@turing.ac.uk inbox.

  • The existing member of TRESA should email ITServices@turing.ac.uk to request this

  • Once the existing TRESA member confirms you are added, in Outlook go to Open -> Shared Mailbox and search for “DSH operations team”, then click Add.

• Ask an existing member of TRESA to give you access to the trusted-research GitHub repo

• Check you can view (and add to) the following (bookmark these):

  • SRE project board: accessible at https://github.com/orgs/alan-turing-institute/projects/25/views/1?layout=board

  • Management project board: accessible at https://github.com/orgs/alan-turing-institute/projects/52/views/1?layout=board

• Install the following in the way described in the DSH SHM pre-requisites (don’t follow the rest of this guide - the SHM is already set up)

  • Powershell and the required modules

  • Microsoft Remote Desktop

  • OpenSSL

Required training and user account details

As an admin, you will have access to sensitive data held within the TREs deployed to production at the Turing. As such, we require that you complete the trainings needed to handle any kind of data that might include. In addition, it’s useful to have set up non-privileged user account that you can use to log into deployed environments for testing purposes.

• Add your details to the Documents -> information_governance -> all_users_and_projects spreadsheet in the TRESA Sharepoint, and assign yourself an admin role.

  • Complete all of the training guides below, and save your certificates to the information_governance -> TRESA certificates folder:

    • Organisational GDPR and Cyber Security Training (Turing Employees and Secondees)

    • eLfH Data Security Awareness Training – Level 1

    • MRC Research, GDPR & Confidentiality Training

  • Update the all_users_and_projects spreadsheet with the completion dates of these trainings

  • Upload the certificates to the information_governance -> TRESA certificates folder

• Ask an existing member of TRESA to create a user account for you in the production SHM and to add you as a research user to a test SRE (e.g. Sandbox)

  • For this, they will use the details you added to the information_governance -> TRESA_prod4_users spreadsheet in the TRESA Sharepoint

• Follow the user guide to set up your account

• Check you can log into the SRE

Getting set up with the Safe Haven Management Environment

• Ask an existing TRESA member to create a Microsoft Entra ID admin account for you.

  • For this, you’ll need to provide your phone number and institutional email address

• Activate your Microsoft Entra ID admin account in the same way as you did for your research user account, by following the user guide

  • Go to the Azure portal and check you can log in with this account, in addition to your normal Turing email account

• Follow Step 7: Configure VPN connection of the Safe Haven SHM guide for the production SHM (prod4)

  • Then navigate to the SHM primary domain controller VM in the portal at Resource Groups > RG_SHM_<SHM ID>_DC > DC1-SHM-<SHM ID> and note the Private IP address for this VM

  • Next, navigate to the RG_SHM_<SHM ID>_SECRETS resource group and then the kv-shm-<SHM ID> Key Vault and then select secrets on the left hand panel and retrieve the following:

    • <admin username> is in the shm-<SHM ID>-domain-admin-username secret.

    • <admin login> is the <admin username> followed by the SHM AD domain: <admin username>@<SHM domain>.

    • <admin password> is in the shm-<SHM ID>-domain-admin-password secret.

  • Open Microsoft Remote Desktop and log into the SHM primary domain controller (DC1-SHM-<SHM ID>) VM using the private IP address, <admin login> and <admin password> that you obtained from the portal above.

    • Open Microsoft Remote Desktop and click Add Desktop / Add PC

    • Enter the private IP address of the VM that you need to connect to in the PC name field

    • Enter a name for the VM (DC1-SHM-<SHM ID>) in the Friendly name field

    • Click Add

    • Double click on the desktop that appears under Saved Desktops or PCs.

    • Use the <admin username> and <admin password> from above

  • You should then be logged into the DC1 Windows VM (this is used for User management)

Create a test deployment and practice TRESA tasks

• Ensure you are set up on the production SHM (prod4) by following the steps above

• You should now be able perform all of the TRESA Tasks during a project

• In particular, we suggest to practice doing the following:

  • Create TRE GitHub issue - use the same Azure Subscription for your SRE as the production SHM (prod4)

  • Build TRE

  • Create users in SHM - add your own user accont to the SRE you set up and check you can log in

  • Teardown TRE

  • Delete data