Nextcloud Access Policy

This document details the access policy and procedures regarding Nextcloud on the XR Australia Branch server.

Shared Folders

An XRAus Library Folder (owned by ncadmin) will be created, read-only access will be granted to all users on Nextcloud with write access provided to National Working Group circle. This folder would contain the follow sub folders:

  • Documentation (IT Platforms, Training resources for SOS, NVDA, etc, )
  • Photos & Media [On Hold] - Awaiting decision to be made by National M&M Working Group. See discussion here
  • Activist Resources (templates, stencils, etc)

An Everyone folder(owned by ncadmin) will be created and shared with the Everyone group (which all users are members of).

A State Folder folder(owned by ncadmin) will be created for each state and territory and shared with all rebels which belong in the region

A Temporary (Cleared Weekly) folder (owned by ncadmin) will be created. It will be configured such that after 7 days of being added files will be removed.

Group Resources

Each group (regional groups (RG), local groups (LG), working group (WG), interest group (IG), etc) will have a group-admin user created for them. This user will own a group folder, a sharing circle and any other shared resources (eg. calendar). Members of the group will be added to the sharing circle and all resources will be shared with that circle.

To mitigate for power at least two rebels will need to have access to the group-admin account.

Setting Up Group Accounts

New Local Groups

When a new group forms the first step is for that group to make themselves known and receive some training from Integration, SOS, and Infrastructure/IT.

This process will be defined elsewhere.

Groups within a Local Group or XR Aus SOS

Requests for setting up new group accounts should come from the groups super-circle group account. They can be requested by emailing xraus.nextcloud@protonmail.com from the super circles ProtonMail account.

For example:

The Limestone Coast Media and Messaging Working Group sends the following email from their protonmail address xrsa.limestonecost.media@protonmail.com to xraus.nextcloud@protonmail.com

FROM: xrsa.limestonecost.media@protonmail.com
TO: xraus.nextcloud@protonmail.com

The Limestone Coast Media and Messaging Working Group requests a new group account be created for our Social Media Team. limestonecost.socialmedia@protonmail.com

The Tech Champion for this group will be Jo.Blogs@protonmail.com Mattermost handle: @rebeljo

Tech Champions

Each group will need to nominate a Tech Champion (the Internal Coordinator by default). Before granting access they will receive training in how to administer access to the group’s Nextcloud shared files and how to use the group’s ProtonMail email account.

When a new group forms the Nextcloud Admin must:

  1. If it does not exist create a new protonmail account for the group and ensure that a suitable backup email address is set.
  2. Create a Nextcloud account for group-admin using the protonmail account as the email address and the protonmail username for the display name & username. This account should have a 5GB quota.
  3. Create a new folder for the group (owned by the group-admin)
  4. Create a new closed circle for the group (owned by the group-admin)
  5. Update the directory of groups (file on Nextcloud shared with admins and XRAus SOS) adding the new group beneath its parent regional group when applicable. The above created email address should be listed as the public contact for the group.
  6. Make ncadmin an admin of the group’s circle (this allows ncadmin to add newly registered users to the circle).
  7. Setup accounts for group users. Make the new group’s nominated Tech Champion an admin of the group’s circle and train them in how to add and remove users from the group’s circle.
  8. Hand over the login details for group-admin user and the group@protonmail.com email address (if applicable) to the new group’s Tech Champion & Coordinators. The passwords should be changed in the process of hand over to remove the Nextcloud Admin’s access.
  9. Remove the shared folder from the ncadmin account (this prevents ncadmin from snooping through files)

Existing Groups

Work must be done in collaboration with National SOS to contact existing groups and record their contact details.

How do rebels get a Nextcloud account?

To request a new account an individual must contact their respective group coordinators who are in charge of verifying that a user is a vouched for member of their group. The group’s Tech Champion (the internal coordinator by default) should email xraus.nextcloud@protonmail.com with an email containing the email addresses of the new members. Nextcloud admins will respond to this email within 5 days.

For example:

FROM: xrsa.limestonecost.socialmedia@protonmail.com
TO: xraus.nextcloud@protonmail.com

The Limestone Coast Media and Messaging Working Group Social Media Team requests a new group account be created for fredrickrebel@protonmail.com.

When a new user is requested the Nextcloud Admin must:

  1. Verify that the request is from the ProtonMail address for the group-admin
  2. Create the account using the supplied protonmail account as the email address and the protonmail username for the display name and username. This will trigger a password reset email being sent to the user. This account should have 0GB quota.
  3. Assign this user to the Everyone group and the appropriate regional/state Nextcloud group.
  4. Add the user to the requesting group’s sharing circle.
  5. Send a follow up email to the requester notifying them that the account is created and a reminder link to instructions for administering the membership of their group’s sharing circle.

How do rebels who already have a Nextcloud account join a new group?

Group membership is administered by the Tech Champion for that group.

Group membership is administered by the group’s Tech Champion (Internal Coordinator by default). Access to a group’s files is controlled through Nextcloud Circles.

When an existing user requests access to a group’s files the Group’s Tech Champion must:

  1. Verify that the user is a member of their group and should be granted access.
  2. Verify the user’s Nextcloud username and email address.
  3. Go to the Circles section of Nextcloud. Find the groups circle and then add the user by to it. Enter the users full email address before selecting the account. This will ensure that the correct user is being added and not another user with a similar username.

What happens when a rebel leaves a group?

The Tech Champion should remove the user from the groups circle.

When a user leaves a the Group’s Tech Champion must:

  1. Go to the Circles section of Nextcloud. Find the groups circle and remove the rebel from the circle.

What happens when a rebel leaves Extinction Rebellion?

If the user has left Extinction Rebellion then contact xraus.nextcloud@protonmail.com and a Nextcloud admin will disable the account. Disabled accounts can be restored at a later date. This can also be requested via email.

1 Like

The above is a departure from our previous ad-hoc, state level approach with Nextcloud. We’re hoping it’ll bring some much needed clarity, allow us to scale up much more efficiently and support groups that do not have tech capacity.

In terms of what’s next we are/will be:

  • Notifying IT Working Group about these changes.
  • Working with existing state and local groups to migrate over to this new structure. Since SA and WA are already using a similar approach we’re starting there and will then be engaging with the other regional Nextcloud admins one by one.
  • Setting up new groups (most likely starting with AusMM)
  • Preparing documentation and videos for Nextcloud
  • Preparing training resources and recruiting trainers (let us know if you’re interested)

I think that’s everything. Let me know if I’m missing anything @Pirate-Jesse.

I feel that this thread should be merged with streamlining access to next cloud and the Next Cloud Document should be the Master Copy of the Next Cloud Access Policy