.. _access:

.. raw:: html

   <style type="text/css">
     span.bolditalic {
       font-weight: bold;
       font-style: italic;
     }
   </style>

.. role:: bolditalic
  :class: bolditalic

Access and authentication
=========================

.. contents::
   :local:
   :depth: 2

Logging in
-----------

Login: https://validator.net.au/

   .. figure:: screenshots/sign_in.png
      :alt: Screenshot of Sign in page
      :width: 35%

      Sign in screen

Requesting and managing access to the Online Validator
------------------------------------------------------

Logicly’s application authentication procedure is designed to align with the Australian Signals Directorate's Protective Security Policy Framework (https://www.protectivesecurity.gov.au/) at OFFICIAL:Sensitive level and requires Multi-Factor Authentication to register and log-in to the application.
 
In order for Logicly to register you for an account, Logicly requires your work email address. Your email address will be used as your login identifier and to communicate with you regarding important events associated with the application such as updates and scheduled outages.

Once you have been registered, you will need to set-up Multi-Factor Authentication in order to use the Online Validator. We have a user guide to help step you through different set-up options: https://docs.logicly.com.au/en/latest/mfa-user-guide/index.html.

We take data security very seriously. For more information about Logicly's approach to security, please visit https://www.logicly.com.au/about/oursecurity/.

Registering for user access
^^^^^^^^^^^^^^^^^^^^^^^^^^^

   1. The new user's manager will need to email support@validator.com.au requesting that the new user be registered for an account and confirming which datasets the new user should have access to. If you are unsure who your manager is, please contact support@validator.com.au.
   2. If not already provided, Logicly will request an email address associated with an appropriate Australian jurisdiction (i.e. one of the Australian States or Territories or the Australian Government) for the new user.
   3. An email containing a link to verify the account will be sent to the new user.
   4. The new user will need to follow the instructions in the verification email to begin their registration (please be aware that the access link is only viable for a short period of time). After registration new users will have access to our Authentication System, but they will not have any functional attributes.
   5. The administrators will be notified that the new user has registered and will grant them the correct attributes to access, upload or review the correct file types. A confirmation email will be sent to new the user informing them that they now have access to the Online Validator.

Managing user details
^^^^^^^^^^^^^^^^^^^^^

All users may update their personal details via the :bolditalic:`Manage Details` tab in the Menu Bar via https://auth.logicly.com.au/.

.. figure:: screenshots/manage_account_details.png
   :alt: Screenshot of Account Details Management page
   :width: 80%
   
   Account Details Management page
   
Removing a user's access
^^^^^^^^^^^^^^^^^^^^^^^^

Please contact an Administrator via support@validator.com.au to request that user access be removed from the application.


Authentication
--------------

Role-based access is managed by Logicly’s existing Authentication and Authorisation Service (Streuth). Streuth manages the roles a user has, and restricts access accordingly. It also provides for self service user details maintenance, password changing and enforces password complexity and password expiration. 

Logicly’s authentication system now supports `Multi Factor Authentication (MFA) <https://docs.logicly.com.au/en/latest/mfa-user-guide/index.html>`_. 

.. image:: screenshots/logicly-login-mobile.png
    :alt: Logicly login screen on mobile device
    :width: 25%
    :align: right

MFA is an additional layer of authentication that works by requiring users to provide verification information (via a device they have) in addition to their email address/password (which they know) when logging in. Taken together these multiple “factors” are used to verify the user. Logicly’s authentication system supports a variety of additional factors, including:

     * Push notifications
     * One-time passwords
     * Security Keys

MFA is required each time a user logs into a Logicly application for enrolled users.
While there are a variety of MFA apps compatible with our system, instructions are available to guide you through setting up MFA push notifications on your mobile device using either the *Auth0 Guardian* app OR *Microsoft Authenticator*, as these can be responded to on a mobile device without having to enter a code manually.

For those that would prefer to not use an application on their mobile device, hardware security keys such as the `yubico Security Key <https://www.yubico.com/products/security-key/>`_ may be used as an additional factor.

Roles
-----

Online Validator supports five levels of access. They are Submitter, Reviewer, Acceptor, Exporter and Administrator.

.. _role-submitter:

Submitters
^^^^^^^^^^

Submitters are usually based in the jurisdiction. Submitters can:

   * Upload and review potential submissions
   * Share files with users in their jurisdiction, who have access to the dataset
   * View file contents and check validation issues
   * View resolution codes and comments assigned to individual issues
   * If the Submitter has control, they can also:
      * assign issue resolution codes and / or comments to individual issues;
      * assign control of the issue resolution log to the Reviewer; and
      * propose a replacement for the file under review.

.. _role-reviewer:

Reviewers
^^^^^^^^^

Reviewers, Acceptors and Exporters are usually based in the Commonwealth. Reviewers can:

   * View file contents and check for validation issues
   * View resolution codes and comments assigned to individual issues
   * Record comments against individual issues
   * If the Reviewer has control, they can also:
      * attribute the :bolditalic:`Accept` or :bolditalic:`Reject` status to individual issues; and
      * assign control of the issue resolution log to the Submitter.

.. _role-acceptor:

Acceptors
^^^^^^^^^

Acceptors can:

   * View file contents and check for validation issues
   * View resolution codes and comments assigned to individual issues
   * Record comments against individual issues
   * Attribute the :bolditalic:`Accept` or :bolditalic:`Reject` status to individual issues
   * Assign control of the issue resolution log to the Submitter
   * Accept the file

.. _role-exporter:

Exporters
^^^^^^^^^

An Exporter is able to export files; the role is usually given to Reviewers or Acceptors.


.. _role-administrator:

Administrators
^^^^^^^^^^^^^^

Administrators manage the application on behalf of the Department of Health.