Jump to content

Fundraising/techops/procedures/users-departing user offboarding checklist

From Wikitech

Departing User Procedure / Checklist

When removing a user from the fundraising / fr-tech ecosystem, we have a set of places where we need to remove accounts and access.

Prerequisites

Before we take action to remove a user, we need to verify that they have departed. This should come as a confirmation from their manager and tracked as a phabricator ticket.

[ ] user_verification

   [ ] access_rights: letter from manager verifying revocation of access or ITS Okta offboarding email
   [ ] account name/contact info: removed from https://collab.wikimedia.org/wiki/Fundraising#Contact_List

User Data and Processes

Data to be retained

  Relates only to data on residing fundraising systems
  [ ] Identify any data the user has created or used that needs to be retained. This may affect account removal but should not affect deactivation.
  [ ] Archive off any data that should be retained
  [ ] Remove other data associated with the user (ie, scratch databases, etc)

Processes running under the user's account

  Relates only to processes executing on fundraising systems
  [ ] Identify any business essential processes running as the user
  [ ] Identify any business essential processes running from within the user's data locations (ie homedir scripts, cron jobs, etc.)
  [ ] Transfer any business essential processes to a new user or service account
  [ ] Remove any cronjobs or ongoing process executions tied to the user

Accounts and Services

[ ] user account

   Shell account specifically
   [ ] account_setup:
       [ ] Mark the user as _ensure: 'absent'_ in the users.yaml file.
       [ ] Remove the user entries in the group_members.yaml file as appropriate.
       [ ] Push out puppet changes.
       [ ] Remove the user principal from kerberos as appropriate.

[ ] client_ssl_cert

  Provides access to multiple services
   [ ] Revoke the cert on frpm1001 using:  ssl_user_admin revoke username
   [ ] Check in the updated CRL to puppet-private
   [ ] Push out puppet changes.

[ ] yubikey

   Just covering fundraising systems. ITS handles use of yubikey with any other systems
   [ ] Remove the user entry in puppet-private/manifests/passwords/yubico.pp
   [ ] Push out the puppet changes.

[ ] ssh

   Only related to fundraising systems
   [ ] Remove ssh public key file from puppet-private/secrets/ssh/default/$username
   [ ] Push out the puppet changes.

[ ] mysql

   Requires: useraccount, yubikey, ssh
   [ ] account_setup
       [ ] Mark user as 'remove' => 1, in appropriate grant files
       [ ] For cleanliness you can remove user from all rights blocks on dbs.
       [ ] Run the grant script to get the grants.
       [ ] Copy/paste to execute the grants or run the grants on the appropriate primary db
   [ ] user_data
       [ ] Determine if there are any user specific dbs that need retention
       [ ] Archive off any dbs that are no longer needed with expiration set

[ ] civicrm

   Requires: client_ssl_cert
   [ ] Change user account to Blocked
   [ ] Remove from any campaign notifications.
       [ ] Check using: mysql drupal -e "select * from wmf_campaigns_campaign;"
       [ ] Remove using mysql or https://civicrm.wikimedia.org/admin/config/wmf_campaigns/list
   [ ] Remove from large donantion notifications.
       [ ] Remove using https://civicrm.wikimedia.org/admin/config/large_donation/configure

[ ] superset

   Requires: client_ssl_cert
   [ ] account_setup
       [ ] Mark user account as inactive
   [ ] archive_access
       [ ] Remove from google drive archive group. https://drive.google.com/drive/folders/0ADWGPlZtksGdUk9PVA

[ ] failmail / email lists

   fr-tech-failmail (possibly others)
   [ ] Production lists
       [ ] Remove from list in production private puppet repo
       [ ] Push out change
   [ ] Fail Mail
       [ ] grep the puppet repo for instances of the user's account
       [ ] Remove instances
       [ ] Push out change
   [ ] civicrm
       [ ] Remove from civicrm failmail recipients
           https://civicrm.wikimedia.org/admin/config/wmf_common/configure

[ ] jupyter

   Requires: useraccount, yubikey, ssh
   [ ] remove user port mapping in hieradata/hostname/fran1001.yaml
   [ ] remove user password mapping in manifests/passwords/jupyter.pp

[ ] Repository reviewer

   [ ] Remove from the necessary fundraising repos notifications: https://www.mediawiki.org/wiki/Git/Reviewers

[ ] Payment processor console accounts

   Some processors have multiple consoles
   [ ] acoustic
   [ ] adyen
   [ ] apple
   [ ] braintree
   [ ] dlocal
   [ ] ingenico
   [ ] paypal