Jump to content

Fundraising/techops/procedures/users-departing user offboarding checklist

From Wikitech
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Departing User Procedure / Checklist

When removing a user from the fundraising / fr-tech ecosystem, we have a set of places where we need to remove accounts and access.

Prerequisites

Before we take action to remove a user, we need to verify that they have departed. This should come as a confirmation from their manager and tracked as a phabricator ticket.

[ ] user_verification

   [ ] access_rights: letter from manager verifying revocation of access or ITS Okta offboarding email
   [ ] account name/contact info: removed from https://collab.wikimedia.org/wiki/Fundraising#Contact_List

User Data and Processes

Data to be retained

  Relates only to data on residing fundraising systems
  [ ] Identify any data the user has created or used that needs to be retained. This may affect account removal but should not affect deactivation.
  [ ] Archive off any data that should be retained
  [ ] Remove other data associated with the user (ie, scratch databases, etc)

Processes running under the user's account

  Relates only to processes executing on fundraising systems
  [ ] Identify any business essential processes running as the user
  [ ] Identify any business essential processes running from within the user's data locations (ie homedir scripts, cron jobs, etc.)
  [ ] Transfer any business essential processes to a new user or service account
  [ ] Remove any cronjobs or ongoing process executions tied to the user

Accounts and Services

[ ] user account

   Shell account specifically
   [ ] account_setup:
       [ ] Mark the user as _ensure: 'absent'_ in the users.yaml file.
       [ ] Remove the user entries in the group_members.yaml file as appropriate.
       [ ] Push out puppet changes.
       [ ] Remove the user principal from kerberos as appropriate.

[ ] client_ssl_cert

  Provides access to multiple services
   [ ] Revoke the cert on frpm1001 using:  ssl_user_admin revoke username
   [ ] Check in the updated CRL to puppet-private
   [ ] Push out puppet changes.

[ ] yubikey

   Just covering fundraising systems. ITS handles use of yubikey with any other systems
   [ ] Remove the user entry in puppet-private/manifests/passwords/yubico.pp
   [ ] Push out the puppet changes.

[ ] ssh

   Only related to fundraising systems
   [ ] Remove ssh public key file from puppet-private/secrets/ssh/default/$username
   [ ] Push out the puppet changes.

[ ] mysql

   Requires: useraccount, yubikey, ssh
   [ ] account_setup
       [ ] Mark user as 'remove' => 1, in appropriate grant files
       [ ] For cleanliness you can remove user from all rights blocks on dbs.
       [ ] Run the grant script to get the grants.
       [ ] Copy/paste to execute the grants or run the grants on the appropriate primary db
   [ ] user_data
       [ ] Determine if there are any user specific dbs that need retention
       [ ] Archive off any dbs that are no longer needed with expiration set

[ ] civicrm

   Requires: client_ssl_cert
   [ ] Change user account to Blocked
   [ ] Remove from any campaign notifications.
       [ ] Check using: mysql drupal -e "select * from wmf_campaigns_campaign;"
       [ ] Remove using mysql or https://civicrm.wikimedia.org/admin/config/wmf_campaigns/list
   [ ] Remove from large donantion notifications.
       [ ] Remove using https://civicrm.wikimedia.org/admin/config/large_donation/configure

[ ] superset

   Requires: client_ssl_cert
   [ ] account_setup
       [ ] Mark user account as inactive
   [ ] archive_access
       [ ] Remove from google drive archive group. https://drive.google.com/drive/folders/0ADWGPlZtksGdUk9PVA

[ ] failmail / email lists

   fr-tech-failmail (possibly others)
   [ ] Production lists
       [ ] Remove from list in production private puppet repo
       [ ] Push out change
   [ ] Fail Mail
       [ ] grep the puppet repo for instances of the user's account
       [ ] Remove instances
       [ ] Push out change
   [ ] civicrm
       [ ] Remove from civicrm failmail recipients
           https://civicrm.wikimedia.org/admin/config/wmf_common/configure

[ ] jupyter

   Requires: useraccount, yubikey, ssh
   [ ] remove user port mapping in hieradata/hostname/fran1001.yaml
   [ ] remove user password mapping in manifests/passwords/jupyter.pp

[ ] Repository reviewer

   [ ] Remove from the necessary fundraising repos notifications: https://www.mediawiki.org/wiki/Git/Reviewers

[ ] Payment processor console accounts

   Some processors have multiple consoles
   [ ] acoustic
   [ ] adyen
   [ ] apple
   [ ] braintree
   [ ] dlocal
   [ ] ingenico
   [ ] paypal
Retrieved from "https://wikitech.wikimedia.org/w/index.php?title=Fundraising/techops/procedures/users-departing_user_offboarding_checklist&oldid=2106409"