Non-gov access to information (Challenge Managers)

[r-bartlett-gsa]

User story

As a security officer, in order to ensure only users with verified identities have access to controlled or sensitive information, I would like to restrict non-government user access, regardless of assigned user role, to submissions and public solvers data.

Acceptance criteria:

• [x] The following applies to challenge manager role
  • [x] If user's email address is not ending in .gov or .mil, the user does not have access to any submissions data (PII & CUI)
  • [x] If user's email address is not ending in .gov or .mil, the user does not have access to any public solvers data (PII & CUI)
• [x] If user is assigned a challenge manager role, but their email address does not end in .gov or .mil, then the originator type designation in security logs is challenge_manager_ng
• [x] Additional AC added 8/27 - A _ng CM can not submit a challenge for approval
• [x] Additional AC added 8/27 - a _ng CM can not create a new challenge.

Note: public solvers with non .gov or .mil accounts continue have access to submissions and public solvers data they inputted into challenge.gov

Definition of Done

Doing (dev team)

• [x] Code complete
• [x] Code is organized appropriately
• [x] Any known trade offs are documented in the associated GH issue
• [x] Code is documented, modules, shared functions, etc.
• [x] Automated testing has been added or updated in response to changes in this PR
• [x] The feature is smoke tested to confirm it meets requirements
• [x] Database changes have been peer reviewed for index changes and performance bottlenecks
• [x] PR that changes or adds UI
  • [x] include a screenshot of the WAVE report for the altered pages
  • [x] Confirm changes were validated for mobile responsiveness
• [x] PR approved / Peer reviewed
• [x] Security scans passed
• [x] Automate accessibility tests passed
• [x] Build process and deployment is automated and repeatable
• [x] Feature toggles if appropriate
• [x] Deploy to staging

• [x] Move card to testing column in the board

  Staging

• [x] Accessibility tested (Marni)
  • [x] Keyboard navigation
  • [x] Focus confirmed
  • [ ] Color contrast compliance
  • [x] Screen reader testing
• [x] Usability testing: mobile and desktop (Tracy or Marni
• [ ] Cross browser testing - UI rendering is performant on below listed devices/browsers (Tracy or Marni) - [ ] Windows/Chrome - [ ] Windows/Edge - [ ] Mac/Chrome - [ ] Mac/Safari - [ ] iOS/Safari
• [ ] AC review (Renata)
• [ ] Deploy to production (production-like environment for eval capability) (dev team)

• [ ] Move to production column in the board

  Production

• [ ] User and security documentation has been reviewed for necessary updates (Renata/Tracy/Dev team)
• [ ] PO / PM approved (Jarah or Renata)
• [ ] AC is met and it works as expected (Jarah or Renata)
• [ ] Move to done column in the board (Jarah or Renata)

[r-bartlett-gsa]

Challenge.gov PII Types

[r-bartlett-gsa]

Split into two stories

[kkrug]

@r-bartlett-gsa @jarahameador Alejandro and I have a question regarding the first piece of Acceptance Criteria. What exactly should the non-gov challenge manager be prevented from seeing? It doesn't look like the the portal shows any PII in each submission outside of what could be attached as part of the submission (which we cannot see the contents of from a coding perspective).

Edit to add answer: Non-gov challenge managers should not be able to view submissions through the portal at all. This includes disabling the 'View Submissions' button and hiding the table of all submissions, as the page with the submissions table is possible to access with a direct URL. These changes will also prevent the challenge manager from downloading submissions.

[jdonis]

New AC's added 8/27 are completed https://docs.google.com/document/d/1oScGqF9NdV6DLQMqUaqN8tEhnGFSqxi3C8VEt_CPjpc/

The new version is already deployed to Staging

[mhotch24]

@jdonis Please let me know login credentials and URL for testing purposes. Thanks!

[jdonis]

@jdonis Please let me know login credentials and URL for testing purposes. Thanks!

@mhotch24

https://challenge-portal-staging.app.cloud.gov/sign-in/new

I just activated your GSA account to sign in to Staging you have admin rights, to test as a non-gov you need to sign in using any other email, the next step is to add that account as a challenge manager.

Please let me know if you have any doubts.

[mhotch24]

@jdonis my account is still pending recertification. Can you approve it or do I need to ask someone else?

[jdonis]

@jdonis my account is still pending recertification. Can you approve it or do I need to ask someone else?

@mhotch24 both accounts done!

[mhotch24]

@jdonis We have a color contrast fail. Please change the table header colors to 'primary-dark' | 'blue-warm-70v' | $theme-color-primary-dark | #1a4480

[TCKapGrp]

@r-bartlett-gsa , a11y test complete. Per convo, bypassing cross browser testing. Now to you for AC testing.

[r-bartlett-gsa]

@jdonis / @TCKapGrp The AC for this user story is not met, and it needs to go back to Doing. As a non-gov CM I am able to access submissions by entering the URLs of submissions list and details pages:

---

Can you please share a screenshot of the security log showing the challenge_manager_ng designation.

---

Does the following AC mean that the non gov challenge manager is not able to submit edits to the challenge?

Additional AC added 8/27 - A _ng CM can not submit a challenge for approval

When I read that AC, I assume it is linked to the AC that does not allow the non-gov CM to create a new challenge and hence is not able to submit the challenge for approval. If that is the case, then the new added AC is met.

However, the message on the portal says this: And that is not true. As a non-gov CM I was able to edit the challenge, and the challenge edits were submitted. That message is not needed, because it is not accurate.

[r-bartlett-gsa]

@kkrug I'm still seeing the same issues on staging:

• As a non-gov challenge manager, I can access the submissions list
• As a non-gov challenge manager, I can access submissions details
• Inaccurate message is displayed on a challenge details page (should be removed)
• In the security log, there are instances where non-gov challenge manager does not have challenge_manager_ng designation: