As the Phab account is bound to a WMDE SUL account I've disabled the Phab account.

removed from "nda" and "wmde" groups in LDAP

Change 731787 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] admin: disable shell access for tonina

https://gerrit.wikimedia.org/r/731787

Change 731787 merged by Dzahn:

[operations/puppet@production] admin: disable shell access for tonina

https://gerrit.wikimedia.org/r/731787

@WMDE-leszek ,re:

I'd appreciate if WMF staff audited that they no longer have any staff-related access to WMF systems.

[mwmaint1002:~] $ offboard-user -l tonina
User DN: uid=tonina,ou=people,dc=wikimedia,dc=org
Is member of the following unprivileged LDAP groups:
  cn=project-bastion,ou=groups,dc=wikimedia,dc=org (can be retained)
  cn=project-tools,ou=groups,dc=wikimedia,dc=org (can be retained)
Is not a project admin in Nova
Is not a member in any privileged group

analytics-privatedata-users grants access to Hadoop/Hive, check PII leftovers and Hue account.

Skipping Phabricator offboarding, use -p USERNAME to run it at later point

[mwmaint1002:~] $ offboard-user -l tonina
User DN: uid=tonina,ou=people,dc=wikimedia,dc=org
Is member of the following unprivileged LDAP groups:
  cn=project-bastion,ou=groups,dc=wikimedia,dc=org (can be retained)
  cn=project-tools,ou=groups,dc=wikimedia,dc=org (can be retained)
Is not a project admin in Nova
Is not a member in any privileged group
tonina has already been offboarded in  modules/admin/data/data.yaml
Hadoop/Hive PII check cannot be performed.
please check a previous revision where `tonina ensure: present`

Skipping Phabricator offboarding, use -p USERNAME to run it at later point

@WMDE-leszek Hey, I see https://meta.wikimedia.org/wiki/Special:CentralAuth?target=Tonina%20Zhelyazkova%20(WMDE) has some advanced permissions at wikidata.org and meta -- let me know if you need any help with that. I'm also not sure if WMDE SUL accounts of offboarded employees should be locked -- I can do so if they should be.

Created https://phabricator.wikimedia.org/T293676 for the Data Engineering team to review data in HDFS/stat homes.

@WMDE-leszek Going through your list: LDAP groups removal: done, analytics-privatedata-users removal: done, adjust LDAP access in data.yaml: done, revoke +2 , remove from wmde-mediawiki in Gerrit: done, bastion and tools Cloud VPS projects: This is outside the scope of SRE and normal offboarding procedures.

Mentioned in SAL (#wikimedia-operations) [2021-10-18T18:07:30Z] <mutante> gerrit - removed tonina from wmde-mediawiki gerrit group (T293621)

In T293621#7437664, @Urbanecm wrote:

@WMDE-leszek Hey, I see https://meta.wikimedia.org/wiki/Special:CentralAuth?target=Tonina%20Zhelyazkova%20(WMDE) has some advanced permissions at wikidata.org and meta -- let me know if you need any help with that. I'm also not sure if WMDE SUL accounts of offboarded employees should be locked -- I can do so if they should be.

Thanks for spotting this. I've intended to remove permissions on Wikidata, just didn't get to it soon enough. They're now adjusted.
Removing Tonina's account from central notice admins on Meta is something that also should happen - I don't have permissions to do this,
Same goes for disabling her WMDE SUL account - the process for requesting this seems quite unclear to me.

@Urbanecm if you're able to remove account's CN admin permissions on Meta, and disable the account - I'll greatly appreciate your help.

In T293621#7437679, @Dzahn wrote:

@WMDE-leszek Going through your list: LDAP groups removal: done, analytics-privatedata-users removal: done, adjust LDAP access in data.yaml: done, revoke +2 , remove from wmde-mediawiki in Gerrit: done, bastion and tools Cloud VPS projects: This is outside the scope of SRE and normal offboarding procedures.

Many thanks @Dzahn!
For my future request: Do you happen to know what's the preferred procedure for "wiping" the Cloud VPS project access permissions?

In T293621#7440085, @WMDE-leszek wrote:

In T293621#7437664, @Urbanecm wrote:

@WMDE-leszek Hey, I see https://meta.wikimedia.org/wiki/Special:CentralAuth?target=Tonina%20Zhelyazkova%20(WMDE) has some advanced permissions at wikidata.org and meta -- let me know if you need any help with that. I'm also not sure if WMDE SUL accounts of offboarded employees should be locked -- I can do so if they should be.

Thanks for spotting this. I've intended to remove permissions on Wikidata, just didn't get to it soon enough. They're now adjusted.
Removing Tonina's account from central notice admins on Meta is something that also should happen - I don't have permissions to do this,
Same goes for disabling her WMDE SUL account - the process for requesting this seems quite unclear to me.

@Urbanecm if you're able to remove account's CN admin permissions on Meta, and disable the account - I'll greatly appreciate your help.

SUL account disabled, requested CNA admin permission removal.

For procedure: To disable a SUL account, you need to go to any steward. The canonical request page is https://meta.wikimedia.org/w/index.php?title=SRG. You can also request it via IRC (#wikimedia-stewards), depends on what's more convenient for you. The first pathway usually takes a couple of days (the page's often backlogged), the second one is almost immediate (could come handy if you need an urgent permission cut).

In T293621#7437679, @Dzahn wrote:

@WMDE-leszek Going through your list: LDAP groups removal: done, analytics-privatedata-users removal: done, adjust LDAP access in data.yaml: done, revoke +2 , remove from wmde-mediawiki in Gerrit: done, bastion and tools Cloud VPS projects: This is outside the scope of SRE and normal offboarding procedures.

Many thanks @Dzahn!
For my future request: Do you happen to know what's the preferred procedure for "wiping" the Cloud VPS project access permissions?

My guess would be "go to whoever maintains the cloud VPS project. For toolforge, tools admins. Alternatively, you could disable their dev account at wikitech (any wikitech admin can do so) -- disabled devs accounts shouldn't be able to SSH anywhere.

Since anyone can create an account on Wikitech and there is nothing private in it, I am not sure there is much value in wiping them.

That being said, yea, what Urbanecm said, ask any admin of the relevant cloud VPS project. In all these years I haven't noticed any case of offboarding where this was done though.