Execution of Jobs by Authenticated and Authorized Users

By creating software as a service we have opened the execution of model runs to the broad public. This means we are considering allowing almost anyone to be able to execute jobs on government hosted cloud. The Authentication/Authorization is intended to limit the ability of an individual to run a job to someone who has been added to a Group and provided the Execute Role, this means someone has made the decision to allow the execution.

  • Users may include:
    • Federal agency staff
    • State and local floodplain administrators
    • University staff
    • Students
    • General public
  • login.gov could be used for authentication – provides high interoperability with other organizations
  • User stories:
    • Regional Engineer wants to evaluate levee-raising mitigation options, by rerunning an evaluation once per year.
      • front end web site redirect to login.gov  authenticate  redirect back to initiating site with JSON Web Token (JWT)
    • County floodplain manager requiring contractors to run everything through FFRD, driving up traffic
    • Actuary running calculations on policies-in-force
      • Raw coordinates of the property may be considered PII by some.
      • May need to require POST requests to keep them out of request logs, but also avoid persisting this info in job logs, etc.
  • Potential access roles
    • Model Library read
    • Cloud Compute read
    • Cloud Compute write  write new, vs modify, vs delete

Review of plugins prior to registration

a review process needs further definition

Security in Cloud Accounts

Access to storage or compute environments will be managed through AWS secrets or the equivalent for other cloud providers.