mshaver is leaving the foundation. Please deactivate her accounts after 2022-06-22
---
== Departing User Procedure / Checklist ==
When removing a user from the fundraising / fr-tech ecosystem, we have a set
of places where we need to remove accounts and access.
=== Prerequisites ===
Before we take action to remove a user, we need to verify that they have
departed. This should come as a confirmation from their manager and tracked
as a phabricator ticket.
==== [ ] user_verification ====
[ ] access_rights: letter from manager verifying revocation of access
[ ] account name/contact info: removed from https://collab.wikimedia.org/wiki/Fundraising#Contact_List
[x] attend final day departure party
=== User Data and Processes===
==== Data to be retained ====
Relates only to data on residing fundraising systems
[ ] Identify any data the user has created or used that needs to be retained. This may affect account removal but should not affect deactivation.
[ ] Archive off any data that should be retained
[ ] Remove other data associated with the user (ie, scratch databases, etc)
==== Processes running under the user's account ====
Relates only to processes executing on fundraising systems
[ ] Identify any business essential processes running as the user
[ ] Identify any business essential processes running from within the user's data locations (ie homedir scripts, cron jobs, etc.)
[ ] Transfer any business essential processes to a new user or service account
[ ] Remove any cronjobs or ongoing process executions tied to the user
=== Accounts and Services ===
==== [ ] user account ====
Shell account specifically
[x] account_setup:
[x] Mark the user as _ensure: 'absent'_ in the users.yaml file.
[x] Remove the user entries in the group_members.yaml file as appropriate.
[x] Push out puppet changes.
==== [x] client_ssl_cert ====
Provides access to multiple services
[x] Revoke the cert on frpm1001 using: ssl_user_admin revoke username
[x] Check in the updated CRL to puppet-private
[x] Push out puppet changes.
==== [x] yubikey ====
Just covering fundraising systems. ITS handles use of yubikey with any other systems
[x] Remove the user entry in puppet-private/manifests/passwords/yubico.pp
[x] Push out the puppet changes.
==== [x] ssh ====
Only related to fundraising systems
[x] Remove ssh public key file from puppet-private/secrets/ssh/default/$username
[x] Push out the puppet changes.
==== [ ] mysql ====
Requires: useraccount, yubikey, ssh
[ ] account_setup
[ ] Mark user as 'remove' => 1, in appropriate grant files
[ ] For cleanliness you can remove user from all rights blocks on dbs.
[ ] Run the grant script to get the grants.
[ ] Copy/paste to execute the grants or run the grants on the appropriate primary db
[ ] user_data
[ ] Determine if there are any user specific dbs that need retention
[ ] Archive off any dbs that are no longer needed with expiration set
==== [ ] civicrm ====
Requires: client_ssl_cert
[ ] Change user account to Blocked
[ ] Remove from any campaign notifications.
[ ] Check using: mysql drupal -e "select * from wmf_campaigns_campaign;"
[ ] Remove using mysql or https://civicrm.wikimedia.org/admin/config/wmf_campaigns/list
[ ] Remove from large donantion notifications.
[ ] Remove using https://civicrm.wikimedia.org/admin/config/large_donation/configure
==== [ ] superset ====
Requires: client_ssl_cert
[ ] account_setup
[ ] Mark user account as inactive
[ ] archive_access
[ ] Remove from google drive archive group. https://drive.google.com/drive/folders/0ADWGPlZtksGdUk9PVA
==== [ ] failmail / email lists ====
fr-tech-failmail (possibly others)
note: mshaver was formerly mnoor, remember to check for both usernames
[x] Production lists
[x] Remove from list in production private puppet repo
[x] Push out change
[ ] Fail Mail
[ ] grep the puppet repo for instances of the user's account
[ ] Remove instances
[ ] Push out change
[ ] civicrm
[ ] Remove from civicrm failmail recipients
https://civicrm.wikimedia.org/admin/config/wmf_common/configure
==== [ ] jupyter ====
Requires: useraccount, yubikey, ssh
[ ] remove user port mapping in hieradata/hostname/fran1001.yaml
[ ] remove user password mapping in manifests/passwords/jupyter.pp
==== [ ] Repository reviewer ====
[ ] Remove from the necessary fundraising repos notifications: https://www.mediawiki.org/wiki/Git/Reviewers