Versions Compared

Old Version 1

changes.mady.by.user Steven Maglio

Saved on

compared with

New Version Current

changes.mady.by.user Steven Maglio

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Identity accounts which are no longer actively used
    • Scenario 1: In general the API Key is not being used
    • Scenario 2: The API Key is being used, but it has endpoints it's approved for but it's not using
    • We should consider Personal Accounts as different from Functional Accounts
  • Identify account associated with people/groups no longer affiliated with the University
  • Determine if their account should be removed or deactivated
    • Determine a plan of action to take for these accounts

...

Ticket(s)TitleUser StoryPriorityNotes

Account No Longer in UseAs an Administrator, I would like a report that shows if an account has not been used for over X weeks/months.
  • What is the time period?
    • Personal Accounts
      • Inactivity for three months on an endpoint is considered inactive
    • Functional Accounts
      • Inactivity for a month on an endpoint is considered inactive
    • If all endpoints are inactive then the API Key should be considered inactive
  • Where should we retrieve this data from?

No Longer Associated with the University - Personal AccountsAs an Administrator, I would like a report that shows if a person (email address) is no longer associated with the University.
  • Where to get this information?
    • LDAP?
    • Can we create an API for it?
    • Possible Campus Identity or SA Identity
  • We need to figure out how to determine if they have separated

No Longer Associated with the University - Functional AccountsAs an Administrator, I would like a report that shows if a functional account is no longer in use.
  • Is this a real scenario?If all the applications associated with a functional account have been revoked/deactived, then the functional account should be considered inactive.

Extra Criteria for Determining if an account should be cleaned upAs an Administrator, do I need to attain other information in order to determine if the account should be cleaned up?
  • Should their be an attempt to contact the owner?
    • We need to email the owner
    • We should create reports in Apigee or Google Analytics for this
  • Anything else?

The Cleanup ProcessAs an Administrator, cleaning up an account should ...
  • I assume Disable the account
  • Should we delete it?


  • If we detect and account is unused
    • Revoke the API Keys for the applications (if not already done so)
    • If the account is inactive at UCSB, then Block the account in Drupal
    • Send email to the account owner & support@developer
      • Ensure only this email is sent and not any of the emails below
      • Link to reenable account in Drupal
  • If we detect that an application is unusedĀ 
    • Revoke the API Key for the application
      • Revoke the API Access for each endpoint used by the application
    • Send email to the account owner & support@developer
      • Ensure only this email is sent and not any of the emails below
      • Link to reenable API Key
    • Update the API Access Request back to Application Retired state
  • If we detect that an API is unused by an application
    • Revoke access to the API for the application
    • Send email to the account owner & support@developer
    • Update the API Access Request to no longer include those APIs







User Interaction, Design & Architecture

...