Page MenuHomePhabricator

Deactivate fundraising accounts for dbu
Open, Needs TriagePublic


Departing User Procedure / Checklist

When removing a user from the fundraising / fr-tech ecosystem, we have a set of places where we need to remove accounts and access.


Before we take action to remove a user, we need to verify that they have departed. This should come as a confirmation from their manager and tracked as a phabricator ticket.

[x] user_verification

User Data and Processes

Data to be retained
Relates only to data on residing fundraising systems
[] Identify any data the user has created or used that needs to be retained. This may affect account removal but should not affect deactivation.
[] Archive off any data that should be retained
[] Remove other data associated with the user (ie, scratch databases, etc)
Processes running under the user's account
Relates only to processes executing on fundraising systems
[-] Identify any business essential processes running as the user
[-] Identify any business essential processes running from within the user's data locations (ie homedir scripts, cron jobs, etc.)
[-] Transfer any business essential processes to a new user or service account
[-] Remove any cronjobs or ongoing process executions tied to the user

Accounts and Services

[-] user account
Shell account specifically
[-] account_setup:
    [-] Mark the user as _ensure: 'absent'_ in the users.yaml file.
    [-] Remove the user entries in the group_members.yaml file as appropriate.
    [-] Push out puppet changes.
    [-] Remove the user principal from kerberos as appropriate.
[x] client_ssl_cert
Provides access to multiple services
[x] Revoke the cert on frpm1001 using:  ssl_user_admin revoke username
[x] Check in the updated CRL to puppet-private
[x] Push out puppet changes.
[-] yubikey
Requires: useraccount
Just covering fundraising systems. ITS handles use of yubikey with any other systems
[-] Remove the user entry in puppet-private/manifests/passwords/yubico.pp
[-] Push out the puppet changes.
[-] ssh
Only related to fundraising systems
Requires: useraccount, yubikey
[-] Remove ssh public key file from puppet-private/secrets/ssh/default/$username
[-] Push out the puppet changes.
[-] mysql
Requires: useraccount, yubikey, ssh
[-] account_setup
    [-] Mark user as 'remove' => 1, in appropriate grant files
    [-] For cleanliness you can remove user from all rights blocks on dbs.
    [-] Run the grant script to get the grants.
    [-] Copy/paste to execute the grants or run the grants on the appropriate primary db
[-] user_data
    [-] Determine if there are any user specific dbs that need retention
    [-] Archive off any dbs that are no longer needed with expiration set
[x] civicrm
Requires: client_ssl_cert
[x] Change user account to Blocked
[x] Remove from any campaign notifications.
    [x] Check using: mysql drupal -e "select * from wmf_campaigns_campaign;"
    [x] Remove using mysql or
[-] Remove from large donantion notifications.
    [-] Remove using
[x] superset
Requires: client_ssl_cert
[x] account_setup
    [x] Mark user account as inactive
[x] archive_access
    [x] Remove from google drive archive group.
[] failmail / email lists
fr-tech-failmail (possibly others)
[] Production lists
    [] Remove from list in production private puppet repo
    [] Push out change
[] Fail Mail
    [] grep the puppet repo for instances of the user's account
    [] Remove instances
    [] Push out change
[] civicrm
    [] Remove from civicrm failmail recipients
[-] jupyter
Requires: useraccount, yubikey, ssh
[-] remove user port mapping in hieradata/hostname/fran1001.yaml
[-] remove user password mapping in manifests/passwords/jupyter.pp
[-] Repository reviewer
[] Payment processor console accounts
Some processors have multiple consoles
[] acoustic
[x] adyen
[x] apple
[x] braintree
[x] dlocal
[x] ingenico
[x] paypal

Event Timeline

Removed from ThankYouEmail campaign notification but there are no other users on that notification. Just noting in case it is needed.