I just merged patch https://gerrit.wikimedia.org/r/#/c/243024/ to remove access for user handrade.
It appears that they had no bastion access, but stat and anaytics boxes access (so if one of these has a route to the web without a bastion, it would have been accessible, and therefore make them all accessible.)
I'm not sure if this is a concern or not for analytics, as they worked with this user and would better judge.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | RobH | T114430 audit contractors sheet against cluster access | |||
| Resolved | Ottomata | T114427 removed user handrade from access |
I'm going with the assumption that I should refer all this analytics to @Ottomata for his review or recommendation.
Andrew: Please review the above. I'm not sure if you guys need to worry about potential unauthorized access from this user or not. Either way, it was bad we missed them when they left.
While we are still trying (and failing) to get any kind of official notices from HR regarding departures, perhaps analytics could try to be pro-active and let us know about these contractor endings (since they have private data access.) I'm not demanding it, I have no managerial power, just requesting =]
Uhhhh, I would say that I don't have much info on who accesses these systems. Many people ask for access, managers grant permission, and then opsen give access as part of triage duty. I'm not remembering who handrade was, but it is possible that he was a contractor for some other team. IUNnno!
:)
If you need help figuring out how to give someone the access they need, I am your man. But you don't need my review for all analytics access requests.