update policies

Author: Storce

docs/staff-docs/policies/keycard.md

@@ -22,22 +22,7 @@ Keycard access, once given, can be revoked at the discretion of SMs or GMs.
 
 
 ## After hours policy
-
-Staffers with keycard access to the lab are free to enter and leave as they
-please. In contrast, staffers without keycard access may only be in the lab
-when there is someone with keycard access in the lab as well. More
-specifically, no staffer without keycard access is permitted within the lab if
-there is no one with keycard also within the lab as well. As circumstances may
-result in staffers with keycard having to step out of the lab for short periods
-of time, a general rule of thumb will be that if those with keycard will return
-in a 30 minute time frame, non-keycarded staffers are free to stay.
-
-OCF staffers are permitted to bring in as many guests after hours as is
-considered reasonable. Note that this is not a right, but a privilege and as
-such can be revoked if SMs/GMs feel that guests are being disruptive. Any
-non-staffer in the lab after hours must be logged in the OCF guest sign-in
-sheet, and failure to do so may be considered abuse of keycard privileges.
-
+See Staff Docs -> Procedures -> SUFMO Access -> MOU
 
 ## Abuse of privileges
 

docs/staff-docs/procedures/handoff.md

@@ -0,0 +1,43 @@
+# !!! SM/Root Handoff Guide !!!
+
+## These steps must be followed when on-boarding/off-boarding rootstaff or SMs, or I will be disappointed in you.
+
+
+### On-boarding/off-boarding rootstaff
+
+The following privileges/accounts must be granted when someone is made root, **and taken away/disabled when they are no longer root**.
+
+* /root and /admin Kerberos principals
+* Membership of the ocfroot LDAP group
+	- `kinit you/admin`
+	- `ldapvi cn=ocfroot`
+* Kerberos permissions in the ACL list
+	- `add otherstaffer/admin`
+	- `add otherstaffer/root`
+* 24/7 Keycard Access, and their name on the Emergency after hours list
+* Membership of the root@ Google group to receive technical spam
+* Membership of the workspace-admins@ Google group to enforce physical security token 2fa
+* Super Admin status in Google Workspace
+* "Root" role in the OCF Discord
+* Owner status in the OCF Github
+* A 1password account, membership of the "Owners" group, and access to the root (and really-root?) vaults
+* Their hardware token ssh key added to agenix in the ocf/nix repo
+* Their ssh key added to nix deploy users
+* Membership of the security contact in socreg
+* Panorama access (perhaps this should be SM only?)
+* //TODO anything I missed? 
+
+
+### SM Handoff
+
+The following steps must be taken every time there is a new Site Manager, to ensure proper transfer of accounts.
+
+* All of the above steps if one SM is gaining or losing root.
+* The following should always be held by one of the current SMs, and such should be transferred to an incoming SM if the person who holds it is leaving:
+  * Ownership of the OCF Discord
+  * //TODO i probably forgot a lot of things
+  * Any account that requires a single user to be the owner
+* Additionally, the incoming/outgoing SMs should perform an audit of this list, and ensure that any new/removed manually assigned privileges are reflected here.
+
+meow
+meow (with Brazilian characteristics)

docs/staff-docs/procedures/sufmo-access.md

@@ -0,0 +1,15 @@
+# Afterhour Access
+## MOU with SUFMO:
+https://drive.google.com/drive/search?q=OCF%20SUFMO%20access
+
+## Adding user to access list
+PLEASE READ MOU for updated instructions on how to make changes.
+
+The access list is at: https://docs.google.com/spreadsheets/d/1h1sumblh7tsxqhoZP1lxi-p-7HGpSJjJnC-A4ZbXm3M/edit?gid=214657590#gid=214657590
+
+## Keycard Access
+- Add user to OCF Keycard roster: https://docs.google.com/spreadsheets/d/12kwr-CdhHpV1VzznSNfGx0FaOA8T3YUH0c8jqwftBRs/edit?gid=0#gid=0
+    - MLK OCF Limited is for access to OCF & OCF Storage Room
+    - MLK OCF is MLK OCF Limited + Access to side-doors and server rooms
+- Fill out keycard access form: https://berkeleysa.tfaforms.net/28?tfa_12=Access%20Request
+- Email OCF advisor (Lauren Beal, as of Spring 2026)