On Mon, Apr 19, 2021 at 11:29:41AM -0700, Kevin Fenzi wrote:
I thought I would bring up for dicussion here something thats come up
after the new account system has been put in place.
Namely, how do we handle group deletions.
In the FAS2 world, we never deleted anything. I think this was partly
due to an over abundence of caution (there could be files owned by the
group left over on various machines) and partly just because it was
We now have 5 requests to remove various no longer used groups.
I've enabled audit logging on our ipa01 instance, so we have audit logs
(and I intend to back them up and keep them forever). So we can tell
when a group was deleted by whom. We also have a db dump from fas2
before the switchover where we can look at who was in what group or what
So, I would like to propose:
* we will remove groups on request/ticket from a group manager.
* we will not seek out groups to remove, as them being there doesn't
really hurt anything.
+1 for me on groups.
This does raise the question about user accounts no?
We could have a group that is created with the same name as a group that was
deleted, and suddenly our auditing trail needs to take into account a time
component as group X at time A may be different than group X at time B.
I've the feeling that user accounts are a tad more sensitive and thus we may
want to keep our current policies, I'm raising the question here nonetheless :)