@bd808 mentioned that some features of Mediawiki (in particular meta.wikimedia.org) provide useful functionality to the IDM as well:
- IP range block checking via action=query&list=blocks is used to provide a small degree of protection against known abusers. This check also includes global blocks which have been created by Stewards.
- User name allowed checking via action=query&list=users&usprop=cancreate. This checks against the local MediaWiki:Titleblacklist which we mostly use reserve the names of various system level accounts. Additionally the cross-wiki meta:Title blacklist is checked. The API call also invokes the protections of mw:Extension:AntiSpoof which are largely unnecessary for shell account names due to their ascii charset restrictions, but which may be useful for cn or sn attributes depending on how they are expected to be used in the resulting dataset. For currently existing developer accounts both cn and sn (should) contain the same value which is also known as the developer account's "username". This attribute is commonly used by wikitech as the wiki account username as well as being used in Gerrit, Phabricator, Horizon, Striker, and some other LDAP backed authn as the account name for authentication.
We should consider the best way to incorporate these data sources into the IDM. IP range checks might also be useful for other services in production besides the IDM.