On Wed, Dec 23, 2020 at 12:20 AM Kevin Fenzi <kevin(a)scrye.com> wrote:
On Tue, Dec 22, 2020 at 11:22:17PM +0000, Peter Robinson wrote:
> On Tue, Dec 22, 2020 at 11:02 PM Kevin Fenzi <kevin(a)scrye.com> wrote:
> >
> > On Tue, Dec 22, 2020 at 10:29:11PM +0000, Peter Robinson wrote:
> > >
> > > I think what ever process is run at the point their account is
> > > disabled should revoke all privileges, that's a fairly standard IT
> > > security procedure.
> >
> > There's no process for packages/provenpackagers.
> >
> > We do have a process for infrastructure/sysadmins:
> >
https://docs.pagure.org/infra-docs/sysadmin-guide/sops/departing-admin.html
> >
> > But it only triggers when we _know_ someone isn't contributing anymore
> > (they tell us, etc).
>
> How were the accounts disabled though? Is there a process for that or
> how did that happen in this context?
Accounts can be disabled two ways:
1. The user logs in and marks the account 'inactive'. To change this
back to active they have to reset their password and login again and
change it back.
2. An admin can change users to 'disabled' where they cannot change that
without intervention.
In both cases all ACLs should be removed, if in the former they wish
to have what ever access back there can be a documented process to
file a ticket for it.
Of course all this may be different in the new account system coming
soon. :)
Let's hope there's some hooks to provide that functionality :)