Page MenuHomePhabricator

Deactivate fundraising accounts for mshaver
Closed, ResolvedPublic


mshaver is leaving the foundation. Please deactivate her accounts after 2022-06-22

Departing User Procedure / Checklist

When removing a user from the fundraising / fr-tech ecosystem, we have a set
of places where we need to remove accounts and access.


Before we take action to remove a user, we need to verify that they have
departed. This should come as a confirmation from their manager and tracked
as a phabricator ticket.

[x] user_verification

User Data and Processes

Data to be retained
Relates only to data on residing fundraising systems


Processes running under the user's account
Relates only to processes executing on fundraising systems


Accounts and Services

[x] user account
Shell account specifically
[x] account_setup:
    [x] Mark the user as _ensure: 'absent'_ in the users.yaml file.
    [x] Remove the user entries in the group_members.yaml file as appropriate.
    [x] Push out puppet changes.
[x] client_ssl_cert
Provides access to multiple services
 [x] Revoke the cert on frpm1001 using:  ssl_user_admin revoke username
 [x] Check in the updated CRL to puppet-private
 [x] Push out puppet changes.
[x] yubikey
Just covering fundraising systems. ITS handles use of yubikey with any other systems
[x] Remove the user entry in puppet-private/manifests/passwords/yubico.pp
[x] Push out the puppet changes.
[x] ssh
Only related to fundraising systems
[x] Remove ssh public key file from puppet-private/secrets/ssh/default/$username
[x] Push out the puppet changes.
[x] mysql
Requires: useraccount, yubikey, ssh
[x] account_setup
    [x] Mark user as 'remove' => 1, in appropriate grant files
    [x] For cleanliness you can remove user from all rights blocks on dbs.
    [x] Run the grant script to get the grants.
    [x] Copy/paste to execute the grants or run the grants on the appropriate primary db
[x] user_data
    [x] Determine if there are any user specific dbs that need retention
    [-] Archive off any dbs that are no longer needed with expiration set
[x] civicrm
Requires: client_ssl_cert
[x] Change user account to Blocked
[x] Remove from any campaign notifications.
    [x] Check using: mysql drupal -e "select * from wmf_campaigns_campaign;"
    [-] Remove using mysql or
[x] Remove from large donantion notifications.
    [-] Remove using
[x] superset
Requires: client_ssl_cert
[x] account_setup
    [x] Mark user account as inactive
[x] archive_access
    [x] Remove from google drive archive group.
[x] failmail / email lists
fr-tech-failmail (possibly others)
note: mshaver was formerly mnoor, remember to check for both usernames
[x] Production lists
    [x] Remove from list in production private puppet repo
    [x] Push out change
[-] Fail Mail
    [-] grep the puppet repo for instances of the user's account
    [-] Remove instances
    [-] Push out change
[x] civicrm
    [-] Remove from civicrm failmail recipients
[x] jupyter
Requires: useraccount, yubikey, ssh
[-] remove user port mapping in hieradata/hostname/fran1001.yaml
[-] remove user password mapping in manifests/passwords/jupyter.pp
[x] Repository reviewer

Event Timeline

Jgreen updated the task description. (Show Details)
Jgreen updated the task description. (Show Details)
Jgreen moved this task from Triage to In Progress on the fundraising-tech-ops board.
Dwisehaupt claimed this task.
Dwisehaupt updated the task description. (Show Details)
Dwisehaupt moved this task from In Progress to Done on the fundraising-tech-ops board.