Page MenuHomePhabricator

Deactivate fundraising accounts for dmorgan
Open, Needs TriagePublic

Description

Departing User Procedure / Checklist

When removing a user from the fundraising / fr-tech ecosystem, we have a set of places where we need to remove accounts and access.

Prerequisites

Before we take action to remove a user, we need to verify that they have departed. This should come as a confirmation from their manager and tracked as a phabricator ticket.

[x] user_verification

User Data and Processes

Data to be retained
Relates only to data on residing fundraising systems
[] Identify any data the user has created or used that needs to be retained. This may affect account removal but should not affect deactivation.
[] Archive off any data that should be retained
[] Remove other data associated with the user (ie, scratch databases, etc)
Processes running under the user's account
Relates only to processes executing on fundraising systems
[] Identify any business essential processes running as the user
[] Identify any business essential processes running from within the user's data locations (ie homedir scripts, cron jobs, etc.)
[] Transfer any business essential processes to a new user or service account
[] Remove any cronjobs or ongoing process executions tied to the user

Accounts and Services

[x] user account
Shell account specifically
[-] account_setup:
    [-] Mark the user as _ensure: 'absent'_ in the users.yaml file.
    [-] Remove the user entries in the group_members.yaml file as appropriate.
    [-] Push out puppet changes.
    [-] Remove the user principal from kerberos as appropriate.
[x] client_ssl_cert
Provides access to multiple services
[x] Revoke the cert on frpm1001 using:  ssl_user_admin revoke username
[x] Check in the updated CRL to puppet-private
[x] Push out puppet changes.
[x] yubikey
Requires: useraccount
Just covering fundraising systems. ITS handles use of yubikey with any other systems
[-] Remove the user entry in puppet-private/manifests/passwords/yubico.pp
[-] Push out the puppet changes.
[x] ssh
Only related to fundraising systems
Requires: useraccount, yubikey
[-] Remove ssh public key file from puppet-private/secrets/ssh/default/$username
[-] Push out the puppet changes.
[x] mysql
Requires: useraccount, yubikey, ssh
[-] account_setup
    [-] Mark user as 'remove' => 1, in appropriate grant files
    [-] For cleanliness you can remove user from all rights blocks on dbs.
    [-] Run the grant script to get the grants.
    [-] Copy/paste to execute the grants or run the grants on the appropriate primary db
[-] user_data
    [-] Determine if there are any user specific dbs that need retention
    [-] Archive off any dbs that are no longer needed with expiration set
[x] civicrm
Requires: client_ssl_cert
[x] Change user account to Blocked
[-] Remove from any campaign notifications.
    [-] Check using: mysql drupal -e "select * from wmf_campaigns_campaign;"
    [-] Remove using mysql or https://civicrm.wikimedia.org/admin/config/wmf_campaigns/list
[-] Remove from large donantion notifications.
    [-] Remove using https://civicrm.wikimedia.org/admin/config/large_donation/configure
[-] superset
Requires: client_ssl_cert
[-] account_setup
    [-] Mark user account as inactive
[-] archive_access
    [-] Remove from google drive archive group. https://drive.google.com/drive/folders/0ADWGPlZtksGdUk9PVA
[x] failmail / email lists
[-] jupyter
Requires: useraccount, yubikey, ssh
[-] remove user port mapping in hieradata/hostname/fran1001.yaml
[-] remove user password mapping in manifests/passwords/jupyter.pp
[x] Repository reviewer
[] Payment processor console accounts
Some processors have multiple consoles
[] acoustic
[x] adyen
[x] apple
[x] braintree
[x] dlocal
[x] ingenico
[x] paypal