mshaver is leaving the foundation. Please deactivate her accounts after 2022-06-22
Departing User Procedure / Checklist
When removing a user from the fundraising / fr-tech ecosystem, we have a set
of places where we need to remove accounts and access.
Before we take action to remove a user, we need to verify that they have
departed. This should come as a confirmation from their manager and tracked
as a phabricator ticket.
- access_rights: letter from manager verifying revocation of access
- account name/contact info: removed from https://collab.wikimedia.org/wiki/Fundraising#Contact_List
- attend final day departure party
User Data and Processes
Data to be retained
Relates only to data on residing fundraising systems
Processes running under the user's account
Relates only to processes executing on fundraising systems
Accounts and Services
[x] user account
Shell account specifically [x] account_setup: [x] Mark the user as _ensure: 'absent'_ in the users.yaml file. [x] Remove the user entries in the group_members.yaml file as appropriate. [x] Push out puppet changes.
Provides access to multiple services [x] Revoke the cert on frpm1001 using: ssl_user_admin revoke username [x] Check in the updated CRL to puppet-private [x] Push out puppet changes.
Just covering fundraising systems. ITS handles use of yubikey with any other systems [x] Remove the user entry in puppet-private/manifests/passwords/yubico.pp [x] Push out the puppet changes.
Only related to fundraising systems [x] Remove ssh public key file from puppet-private/secrets/ssh/default/$username [x] Push out the puppet changes.
Requires: useraccount, yubikey, ssh [x] account_setup [x] Mark user as 'remove' => 1, in appropriate grant files [x] For cleanliness you can remove user from all rights blocks on dbs. [x] Run the grant script to get the grants. [x] Copy/paste to execute the grants or run the grants on the appropriate primary db [x] user_data [x] Determine if there are any user specific dbs that need retention [-] Archive off any dbs that are no longer needed with expiration set
Requires: client_ssl_cert [x] Change user account to Blocked [x] Remove from any campaign notifications. [x] Check using: mysql drupal -e "select * from wmf_campaigns_campaign;" [-] Remove using mysql or https://civicrm.wikimedia.org/admin/config/wmf_campaigns/list [x] Remove from large donantion notifications. [-] Remove using https://civicrm.wikimedia.org/admin/config/large_donation/configure
Requires: client_ssl_cert [x] account_setup [x] Mark user account as inactive [x] archive_access [x] Remove from google drive archive group. https://drive.google.com/drive/folders/0ADWGPlZtksGdUk9PVA
[x] failmail / email lists
fr-tech-failmail (possibly others) note: mshaver was formerly mnoor, remember to check for both usernames [x] Production lists [x] Remove from list in production private puppet repo [x] Push out change [-] Fail Mail [-] grep the puppet repo for instances of the user's account [-] Remove instances [-] Push out change [x] civicrm [-] Remove from civicrm failmail recipients https://civicrm.wikimedia.org/admin/config/wmf_common/configure
Requires: useraccount, yubikey, ssh [-] remove user port mapping in hieradata/hostname/fran1001.yaml [-] remove user password mapping in manifests/passwords/jupyter.pp
[x] Repository reviewer
- Remove from the necessary fundraising repos notifications: https://www.mediawiki.org/wiki/Git/Reviewers