I wrote some code (probably under my @Krenair account) a while ago that would look for any intersection between keys allowed in labs and keys allowed in production. It might be useful here.

The cross-validation is already handled via the daily consistency check. I started to work on a quick frontend to add a user to data.yaml, but that doesn't work very well, since loading/modifying/dumping the YAML file messes with the currently hand-crafted YAML data in terms of formatting (and also loses comments). ruamel.yaml is supposed to handle that better, but it didn't make much of a difference either. But since data.yaml is only edited by Ops (and also fairly rarely), that's not really much of an issue either.

The second part of is bugs a generic offboarding script: It queries all the LDAP groups who a user is part of and deals with them in three possible ways:

1. Remove a user of all groups immediately (only used in exceptional cases, e.g. in there's a security concern wrt that user)
2. Offboard a user and drop him/her from all privileged groups (standard labs group/project memberships are retained)
3. Offboard a former staff user turned volunteer, retaining also privileged groups, but moving him/her from the wmf to nda group

In addition, there's WIP to add Phabricator support: This will also leave all project memberships intact, but removes the user from privileged groups (such as Security, WMF-NDA) unless the volunteer NDA is signed.