Kick-off meeting with PI, stakeholders and dev team 2021-10-13

[DavidBeavan]

See collaborative notes hackmd

[DavidBeavan]

Thanks, everone, it was a bit intense and I'm sure we'll be back for clarification. Here's a snap-shot of the doc:

Data Safe Haven Classification App kick-off meeting with PI/stakeholders/dev team

tags: DSH DSHClassApp DataSafeHaven

Infodump

• Overview - this is just this evaluation app bit
• Design doc look out for the flowchart
• Code
• REG GitHub issue

Unanswered questions (subsequently answered on Slack)

• Do we engage in the wider DSH meetings/project? If so, how much time and commitment? e.g. is DB reporting back as product owner I think probably not. I think this makes more sense as a stand-alone spin-off project. Do you agree @martinoreilly and @KirstieJane ? Sure, let’s use the monthly meetings to check that things are aligned. I’ll let Moushka know who to add to the invite list

• What are the PI’s deadlines and promises made to the funder? Funder is Turing core funding. I don’t think we’ve made any explicit promises about the classification app (correct me if I’m wrong here @martinoreilly)

• Are there sync points or milestones for integration with other projects? Integration with UCL bid for Turing 2.0 funding (likely to be successful but not confirmed)

• Any preference from PI on how to run the agile process? No. I’m always interested to see how others run projects though :slightly_smiling_face:

• Any preference on code development? e.g. branching/issues/release/versioning blah. Looks like GitHub flow Up to you. Currently there’s a flow-like development and main branch, but if you prefer a different strategy I think that would be fine too. Once you’ve decided, it might be worth adding some “how to contribute” info in preparation for UCL involvement?

Thoughts/questions for PI / stakeholders on 2021-10-13?

• Ask PI et al for a show and tell
  • See How to Use doc (linky?) on roles
  • App uses Azure Active Directory (AD), each person and each role much have an account in there, which now may not be needed.
    • NEED: simplify what's needed to make an account
      • Captured in issue #308
    • NEED: any authentication changes much still capture the roles ppl have (inc subtle ones, e.g. admin or editor)
      • Captured in issue #332 (Allow classification without requiring an SRE)
  • Recording all project metadata for projects
    • NEED: reliable ID for projects (currently there isn't) or capture existing IDs e.g. programme specific or finance code or REG code
  • Make the UI prettier
    • NEED: review some UX e.g. wall of text and small buttons
    • DECISION: MFA isn't a requirement, if an alternative auth e.g. OAuth was used, then OK
  • Hierarchy of data
    • project -> work package -> datasets. Evaluated at work package level
    • DECISION: how do we deal with potentially elevated tier datasets from linkage (within a work package)
  • Roles
    • Those that exist: system manager (everything inc making users), programme managers (create projects), project managers (assign users, create work package details). Programme managers may likely also be project manager.
      • DECISION: remove "project manager" and assign all project-related actions to "programme manager"
• Review the MVP backlog (see below)
  • tag as acknowledged and ignored
  • @ChristinaLast has added relevant tasks to the new project board from the old project
• We inherit one heck of a github backlog, not all of that relates to the new product desires, so where does our focus go?
  • start new project and transfer relevant tasks over
• What do we do about the PRs parked in GitHub?
  • merge or close
• Agile project coordination?
  • To meet on friday and decide project coordination
  • James is available to meet on fridays
• How much does the PI or other stakeholders want in on our meetings and dev team?
  • James + Jules very up for it!
• in relation to MVP requirement "how to apply [the flowchart questions] to data egress" -> what questions and associated workflow would support this?
  • Answered by james in Egress Usecase (line 70)
• in relation to MVP requirement "ways to bulk import/export/backup the data in the app" -> is this associated with project metadata or the actual project data?
  • both! but these are Nice to have requirements
• Changes to UI as part of MVP?
  • see related tasks in product backlog

MVP product backlog

(from hut23 issue) Classify as: Essential, Important, Nice to have

• Are these the same classifications as emergency, major,minor?

Meta-aim: Make the classification app easier to use by removing friction when: signing-up, logging-in, intuitively using the app & allowing multiple views. Ideally make it easier to do than to argue why not to.

• Essential: authentication changes (decouple from the current Azure AD solution: eg. allow users from other Azure ADs to log in - rather than requiring @turingsafehaven.ac.uk accounts or self sign-up)
• Important: a way to record datasets separately from projects so that we can see where the same dataset is used in multiple places (possibly even deploying an instance of https://github.com/amundsen-io/amundsen for tracking this and plugging into it?). Connected might be reports
• Nice to have: add ability to export reports etc to show projects and datasets and their tiers. Turing DOES NOT currently have unique IDs of datsets.
• Nice to have: clarification/update of the flowchart questions (with legal) to account for (a) what some of them actually mean and (b) how to apply them to data egress
• Important: Remove the documented requirement for the PI to spin up a safe haven to look at the data before classifying. This is currently a big hold-up for Turing projects.
• Nice to have: a way to mark classification as provisional - this could allow the data provider and PI to go through the classification process for a tier-0/tier-1 project without needing to spin up a safe haven for them to look at the data. Aside is is a yes/no/don't know possible? Where don't know is the most conservative answer, and the ned classification prompts the user which questions to better resolve for a fuller classification. If offered a "Dont know" then suggest questions the PI needs to be able to answer to be able to continue with the classification.
• Important: better project views so that programme leads don’t have to see all projects but can restrict by eg. topic area
• Important: better documentation/guided workflows built into the app rather than held as a separate PDF. Could be a sand-box or play one.
• Nice to have: ways to bulk import/export/backup the data in the app
• MVP would be to be able to create separate ingress or egress work packages, with associated questions.
• Nice to have: Notification system - so the PM gets an auto email when the classification is completed, and then maybe the ability for the PM to send a certificate to IT to confirm tier levels. This can be used for both ingress - which SH would be required; and for egress - so that outputs can safely be removed.
• Nice to have: Develop egress related workflow with output dataset post project Usecase: egress to challenge owner after a data study groups (still may need to be uin safe haven), but also with reports (not needed to be in DSH) Egress needs different wording Work to capture derived data and the proejct it associated with
• Nice to have: Not require a data set to be used for every work package/ the option to add in something else e.g a report. Report (e.g. .PDF) and code (e.g. .git) to be uploadable, nameable and describeable through the app Nice to have: Not need us to add the details of the data sets – rathe the Cos can add them to the app directly – to null the need of a ‘data sets’ form.
• Important The ability to edit work packages, users and so on, at the moment once its saved you can edit or remove (lots of confusing duplicates).
• Important: Sort out multiple duplicated names Nice to have: version workflows, let a super admin make them, so classifications are kept against the Qs answered at the time

Important if UCL involved:

• should we include additional questions that would allow us to score a project against other classification systems (eg. NHS or UK Government classifications)?
• should we separate the questions from the business logic (eg. in a clean YAML format) in a way that means we can eg. generate a flow-chart from the questions