Shared Group Account for Cascade

Purpose

Many developers configure Cascade to use their own personal accounts when publishing to their site via SFTP. This can lead to issues when there are multiple developers working on a site and the developer who configured the Cascade transports changes their personal account’s password. This person must then update the configuration for all Cascade transports to use the new password, which can be a problem if that person is no longer working on that site, is on vacation, or is otherwise unable to do so.

As an alternative, Cascade service accounts can be used in place of a developer’s personal account. Since a service account belongs to a team rather than an individual, the password can be managed by any member of that team, making it easier for any team to keep their Cascade publish password updated.

Policies

Cascade service accounts must adhere to Purdue’s account standards and policies. Passwords must be changed at least once every 90 days, as well as whenever a team member leaves the team.

Each service account should be used by a single development team to publish their Cascade project(s).

Passwords should be stored and shared in a secure manner. This includes but is not limited to encrypted password managers, Filelocker, and in-person communication. Passwords must not be stored in plain text. Passwords used for these accounts must meet Purdue’s minimum standards.

Requesting

Cascade service accounts can be requested using the standard Web Services UNIX account request form after discussing getting a service account with Web Services. When filling out the form, the account requestor should select “Shared” rather than “Individual”, but otherwise fill out the form as normal.

Note: These service accounts are only needed for Cascade projects that publish via SFTP. This usually means they are only needed for sites hosted on Linux-based web servers, such as the Primary Purdue Web Cluster (PPWC). Sites that are hosted on Windows-based web servers use a Web Services managed service account for publishing and don’t need a site-specific service account.

Using

Once the service account is created, an initial password will be sent to the account requestor via Filelocker. It is the account requestor’s responsibility to change that password from the default password provided and share the new password securely with other team members that need to know it. After this is done:

  1. A site developer with sufficient permissions to add or edit transports should log into Cascade as themselves.
  2. Once logged in, select a Cascade project with which this service account is to be used.
  3. From the project’s Administration menu, select Transports.
  4. Click the Edit (pencil) icon next to the Transport to be modified to use this service account.
  5. Change the Username, Password, and Confirm Password to those for the service account.
  6. Click Submit.
  7. Repeat for any other transports for which this account was created.

Note: If you don’t see Username, Password, and Confirm Password fields when editing a transport, the transport is not using SFTP and does not need this service account.

Password Changes

Passwords can be changed by anyone who knows the username and current password as follows:

  1. Inform all developers of sites using the service account that they should cease publishing until these steps are complete.
  2. Visit https://www.purdue.edu/apps/account/ChangePassword in a web browser.

Important: If you are not asked to log in, you are logged in as yourself. Click the Logout button in the upper right, then start over at step 1.

  1. Log in using the service account’s username and password.
  2. Enter the current service account password in the top blank.
  3. Generate a new password for the service account using the criteria found at the bottom of the page. A password vault application is useful here, as most have secure password generators.
  4. Enter the generated password in the next two blanks, as well as into whatever mechanism your team is using to store/share the service account password securely.
  5. Click Change Password
  6. Follow the steps under Using above to edit all Cascade transports configured to use this service account updating them to use the new password.

Resetting Passwords

If a service account password has been forgotten, a reset can be requested:

  • The service account owner (the person who originally requested the account) or an authorized user (a developer of a site using the account who also has access to edit the site’s transports in Cascade) may request password resets.
  • Password resets may be requested by clicking the “Forgot your password?” link on any CAS-protected page, such as https://www.purdue.edu/apps/account. They may also be requested directly by calling the CSC (4-4000 or 765-494-4000) or contacting Web Services via email.