Opened 4 weeks ago
Last modified 3 weeks ago
#32519 new defect
improve user onboard/offboarding procedures
Reported by: | anarcat | Owned by: | tpa |
---|---|---|---|
Priority: | Medium | Milestone: | |
Component: | Internal Services/Tor Sysadmin Team | Version: | |
Severity: | Normal | Keywords: | |
Cc: | gaba | Actual Points: | |
Parent ID: | Points: | ||
Reviewer: | Sponsor: |
Description (last modified by )
while working on the nextcloud project, we realized it wasn't exactly trivial to setup the LDAP bridge because of our specific requirements (no direct connexion, offline support). so we just didn't implement it yet (#32332). i added a note about this in the retire a user procedure, but then i realized there are probably many other such services that do *not* connect with LDAP.
On the top of my head, there's at least Trac and mailing lists, for example, which are managed completely separarely. Audit org/operations/services and see which services are manager manually and which aren't.
Then make sure there's an automated way to add/remove users to services, either by hooking up the service with LDAP, or by creating a wrapper script that will manage those accesses.
So the following needs to be done here:
- [ ] document, in new-person and retire-a-user, the various services to add/remove people to
- [ ] automate the above with a script or LDAP
Note that the two pages have different scope: new-person
is about TSA while retire-a-user
is broader. This should also be converged, probably in the broader sense.
Also note that a particularly tricky situation is when we want to do a *partial* removal. For example, maybe the person needs to be removed from tor-internal, but keep access to some servers. Or removed from server, but keep an email alias.
The latter case is especially sensitive: some people feel keeping their email alias around forever is an inalienable right and that we should keep forwarding their email even after they are fully retired from Tor. This policy needs to be clarified, see #32558 for that particularly tricky problem.
Child Tickets
Change History (5)
comment:1 Changed 4 weeks ago by
Description: | modified (diff) |
---|
comment:2 Changed 3 weeks ago by
Cc: | gaba added |
---|
comment:3 Changed 3 weeks ago by
Description: | modified (diff) |
---|
create #32558 to followup on the email problem, and expand on that.
mention the new person page as well