Change Details

mshaver is leaving the foundation. Please deactivate her accounts after 2022-06-22 --- == Departing User Procedure / Checklist == When removing a user from the fundraising / fr-tech ecosystem, we have a set of places where we need to remove accounts and access. === Prerequisites === Before we take action to remove a user, we need to verify that they have departed. This should come as a confirmation from their manager and tracked as a phabricator ticket. ==== [ ] user_verification ==== [ ] access_rights: letter from manager verifying revocation of access [ ] account name/contact info: removed from https://collab.wikimedia.org/wiki/Fundraising#Contact_List [x] attend final day departure party === User Data and Processes=== ==== Data to be retained ==== Relates only to data on residing fundraising systems [ ] Identify any data the user has created or used that needs to be retained. This may affect account removal but should not affect deactivation. [ ] Archive off any data that should be retained [ ] Remove other data associated with the user (ie, scratch databases, etc) ==== Processes running under the user's account ==== Relates only to processes executing on fundraising systems [ ] Identify any business essential processes running as the user [ ] Identify any business essential processes running from within the user's data locations (ie homedir scripts, cron jobs, etc.) [ ] Transfer any business essential processes to a new user or service account [ ] Remove any cronjobs or ongoing process executions tied to the user === Accounts and Services === ==== [ ] user account ==== Shell account specifically [x] account_setup: [x] Mark the user as _ensure: 'absent'_ in the users.yaml file. [x] Remove the user entries in the group_members.yaml file as appropriate. [x] Push out puppet changes. ==== [x] client_ssl_cert ==== Provides access to multiple services [x] Revoke the cert on frpm1001 using: ssl_user_admin revoke username [x] Check in the updated CRL to puppet-private [x] Push out puppet changes. ==== [x] yubikey ==== Just covering fundraising systems. ITS handles use of yubikey with any other systems [x] Remove the user entry in puppet-private/manifests/passwords/yubico.pp [x] Push out the puppet changes. ==== [x] ssh ==== Only related to fundraising systems [x] Remove ssh public key file from puppet-private/secrets/ssh/default/$username [x] Push out the puppet changes. ==== [ ] mysql ==== Requires: useraccount, yubikey, ssh [ ] account_setup [ ] Mark user as 'remove' => 1, in appropriate grant files [ ] For cleanliness you can remove user from all rights blocks on dbs. [ ] Run the grant script to get the grants. [ ] Copy/paste to execute the grants or run the grants on the appropriate primary db [ ] user_data [ ] Determine if there are any user specific dbs that need retention [ ] Archive off any dbs that are no longer needed with expiration set ==== [ ] civicrm ==== Requires: client_ssl_cert [ ] Change user account to Blocked [ ] Remove from any campaign notifications. [ ] Check using: mysql drupal -e "select * from wmf_campaigns_campaign;" [ ] Remove using mysql or https://civicrm.wikimedia.org/admin/config/wmf_campaigns/list [ ] Remove from large donantion notifications. [ ] Remove using https://civicrm.wikimedia.org/admin/config/large_donation/configure ==== [ ] superset ==== Requires: client_ssl_cert [ ] account_setup [ ] Mark user account as inactive [ ] archive_access [ ] Remove from google drive archive group. https://drive.google.com/drive/folders/0ADWGPlZtksGdUk9PVA ==== [ ] failmail / email lists ==== fr-tech-failmail (possibly others) note: mshaver was formerly mnoor, remember to check for both usernames [x] Production lists [x] Remove from list in production private puppet repo [x] Push out change [ ] Fail Mail [ ] grep the puppet repo for instances of the user's account [ ] Remove instances [ ] Push out change [ ] civicrm [ ] Remove from civicrm failmail recipients https://civicrm.wikimedia.org/admin/config/wmf_common/configure ==== [ ] jupyter ==== Requires: useraccount, yubikey, ssh [ ] remove user port mapping in hieradata/hostname/fran1001.yaml [ ] remove user password mapping in manifests/passwords/jupyter.pp ==== [ ] Repository reviewer ==== [ ] Remove from the necessary fundraising repos notifications: https://www.mediawiki.org/wiki/Git/Reviewers

mshaver is leaving the foundation. Please deactivate her accounts after 2022-06-22 --- == Departing User Procedure / Checklist == When removing a user from the fundraising / fr-tech ecosystem, we have a set of places where we need to remove accounts and access. === Prerequisites === Before we take action to remove a user, we need to verify that they have departed. This should come as a confirmation from their manager and tracked as a phabricator ticket. ==== [ ] user_verification ==== [ ] access_rights: letter from manager verifying revocation of access [ ] account name/contact info: removed from https://collab.wikimedia.org/wiki/Fundraising#Contact_List [x] attend final day departure party === User Data and Processes=== ==== Data to be retained ==== Relates only to data on residing fundraising systems [ ] Identify any data the user has created or used that needs to be retained. This may affect account removal but should not affect deactivation. [ ] Archive off any data that should be retained [ ] Remove other data associated with the user (ie, scratch databases, etc) ==== Processes running under the user's account ==== Relates only to processes executing on fundraising systems [ ] Identify any business essential processes running as the user [ ] Identify any business essential processes running from within the user's data locations (ie homedir scripts, cron jobs, etc.) [ ] Transfer any business essential processes to a new user or service account [ ] Remove any cronjobs or ongoing process executions tied to the user === Accounts and Services === ==== [ ] user account ==== Shell account specifically [x] account_setup: [x] Mark the user as _ensure: 'absent'_ in the users.yaml file. [x] Remove the user entries in the group_members.yaml file as appropriate. [x] Push out puppet changes. ==== [x] client_ssl_cert ==== Provides access to multiple services [x] Revoke the cert on frpm1001 using: ssl_user_admin revoke username [x] Check in the updated CRL to puppet-private [x] Push out puppet changes. ==== [x] yubikey ==== Just covering fundraising systems. ITS handles use of yubikey with any other systems [x] Remove the user entry in puppet-private/manifests/passwords/yubico.pp [x] Push out the puppet changes. ==== [x] ssh ==== Only related to fundraising systems [x] Remove ssh public key file from puppet-private/secrets/ssh/default/$username [x] Push out the puppet changes. ==== [ ] mysql ==== Requires: useraccount, yubikey, ssh [ ] account_setup [ ] Mark user as 'remove' => 1, in appropriate grant files [ ] For cleanliness you can remove user from all rights blocks on dbs. [ ] Run the grant script to get the grants. [ ] Copy/paste to execute the grants or run the grants on the appropriate primary db [ ] user_data [ ] Determine if there are any user specific dbs that need retention [ ] Archive off any dbs that are no longer needed with expiration set ==== [ ] civicrm ==== Requires: client_ssl_cert [ ] Change user account to Blocked [ ] Remove from any campaign notifications. [ ] Check using: mysql drupal -e "select * from wmf_campaigns_campaign;" [ ] Remove using mysql or https://civicrm.wikimedia.org/admin/config/wmf_campaigns/list [ ] Remove from large donantion notifications. [ ] Remove using https://civicrm.wikimedia.org/admin/config/large_donation/configure ==== [ ] superset ==== Requires: client_ssl_cert [ ] account_setup [ ] Mark user account as inactive [ ] archive_access [ ] Remove from google drive archive group. https://drive.google.com/drive/folders/0ADWGPlZtksGdUk9PVA ==== [ ] failmail / email lists ==== fr-tech-failmail (possibly others) note: mshaver was formerly mnoor, remember to check for both usernames [x] Production lists [x] Remove from list in production private puppet repo [x] Push out change [-] Fail Mail [-] grep the puppet repo for instances of the user's account [-] Remove instances [-] Push out change [ ] civicrm [ ] Remove from civicrm failmail recipients https://civicrm.wikimedia.org/admin/config/wmf_common/configure ==== [ ] jupyter ==== Requires: useraccount, yubikey, ssh [ ] remove user port mapping in hieradata/hostname/fran1001.yaml [ ] remove user password mapping in manifests/passwords/jupyter.pp ==== [ ] Repository reviewer ==== [ ] Remove from the necessary fundraising repos notifications: https://www.mediawiki.org/wiki/Git/Reviewers

mshaver is leaving the foundation. Please deactivate her accounts after 2022-06-22 --- == Departing User Procedure / Checklist == When removing a user from the fundraising / fr-tech ecosystem, we have a set of places where we need to remove accounts and access. === Prerequisites === Before we take action to remove a user, we need to verify that they have departed. This should come as a confirmation from their manager and tracked as a phabricator ticket. ==== [ ] user_verification ==== [ ] access_rights: letter from manager verifying revocation of access [ ] account name/contact info: removed from https://collab.wikimedia.org/wiki/Fundraising#Contact_List [x] attend final day departure party === User Data and Processes=== ==== Data to be retained ==== Relates only to data on residing fundraising systems [ ] Identify any data the user has created or used that needs to be retained. This may affect account removal but should not affect deactivation. [ ] Archive off any data that should be retained [ ] Remove other data associated with the user (ie, scratch databases, etc) ==== Processes running under the user's account ==== Relates only to processes executing on fundraising systems [ ] Identify any business essential processes running as the user [ ] Identify any business essential processes running from within the user's data locations (ie homedir scripts, cron jobs, etc.) [ ] Transfer any business essential processes to a new user or service account [ ] Remove any cronjobs or ongoing process executions tied to the user === Accounts and Services === ==== [ ] user account ==== Shell account specifically [x] account_setup: [x] Mark the user as _ensure: 'absent'_ in the users.yaml file. [x] Remove the user entries in the group_members.yaml file as appropriate. [x] Push out puppet changes. ==== [x] client_ssl_cert ==== Provides access to multiple services [x] Revoke the cert on frpm1001 using: ssl_user_admin revoke username [x] Check in the updated CRL to puppet-private [x] Push out puppet changes. ==== [x] yubikey ==== Just covering fundraising systems. ITS handles use of yubikey with any other systems [x] Remove the user entry in puppet-private/manifests/passwords/yubico.pp [x] Push out the puppet changes. ==== [x] ssh ==== Only related to fundraising systems [x] Remove ssh public key file from puppet-private/secrets/ssh/default/$username [x] Push out the puppet changes. ==== [ ] mysql ==== Requires: useraccount, yubikey, ssh [ ] account_setup [ ] Mark user as 'remove' => 1, in appropriate grant files [ ] For cleanliness you can remove user from all rights blocks on dbs. [ ] Run the grant script to get the grants. [ ] Copy/paste to execute the grants or run the grants on the appropriate primary db [ ] user_data [ ] Determine if there are any user specific dbs that need retention [ ] Archive off any dbs that are no longer needed with expiration set ==== [ ] civicrm ==== Requires: client_ssl_cert [ ] Change user account to Blocked [ ] Remove from any campaign notifications. [ ] Check using: mysql drupal -e "select * from wmf_campaigns_campaign;" [ ] Remove using mysql or https://civicrm.wikimedia.org/admin/config/wmf_campaigns/list [ ] Remove from large donantion notifications. [ ] Remove using https://civicrm.wikimedia.org/admin/config/large_donation/configure ==== [ ] superset ==== Requires: client_ssl_cert [ ] account_setup [ ] Mark user account as inactive [ ] archive_access [ ] Remove from google drive archive group. https://drive.google.com/drive/folders/0ADWGPlZtksGdUk9PVA ==== [ ] failmail / email lists ==== fr-tech-failmail (possibly others) note: mshaver was formerly mnoor, remember to check for both usernames [x] Production lists [x] Remove from list in production private puppet repo [x] Push out change [ -] Fail Mail [ -] grep the puppet repo for instances of the user's account [ -] Remove instances [ -] Push out change [ ] civicrm [ ] Remove from civicrm failmail recipients https://civicrm.wikimedia.org/admin/config/wmf_common/configure ==== [ ] jupyter ==== Requires: useraccount, yubikey, ssh [ ] remove user port mapping in hieradata/hostname/fran1001.yaml [ ] remove user password mapping in manifests/passwords/jupyter.pp ==== [ ] Repository reviewer ==== [ ] Remove from the necessary fundraising repos notifications: https://www.mediawiki.org/wiki/Git/Reviewers