Project Title	Account Cleanup
Target Release
Epic
Document Status	DRAFT
Document Owner
Document Sign-Off
Subject Matter Expert(s)
Technical Expert(s)

Background & Business Value

On an annual basis we would like to review the accounts we have in the system in order to remove accounts that should no longer be active and reduce our security risk profile. To do this we will want to check what accounts are not in active use or their owners are no longer affiliated with the University.

Goals

Identity accounts which are no longer actively used
- Scenario 1: In general the API Key is not being used
- Scenario 2: The API Key is being used, but it has endpoints it's approved for but it's not using
- We should consider Personal Accounts as different from Functional Accounts
Identify account associated with people/groups no longer affiliated with the University
Determine if their account should be removed or deactivated
- Determine a plan of action to take for these accounts

Assumptions

Out of Scope

Requirements

Title	User Story	Notes
Account No Longer in Use	As an Administrator, I would like a report that shows if an account has not been used for over X weeks/months.	What is the time period? Personal Accounts Inactivity for three months on an endpoint is considered inactive Functional Accounts Inactivity for a month on an endpoint is considered inactive If all endpoints are inactive then the API Key should be considered inactive Where should we retrieve this data from?
No Longer Associated with the University - Personal Accounts	As an Administrator, I would like a report that shows if a person (email address) is no longer associated with the University.	Where to get this information? LDAP? Can we create an API for it? Possible Campus Identity or SA Identity We need to figure out how to determine if they have separated
No Longer Associated with the University - Functional Accounts	As an Administrator, I would like a report that shows if a functional account is no longer in use.	If all the applications associated with a functional account have been revoked/deactived, then the functional account should be considered inactive.
Extra Criteria for Determining if an account should be cleaned up	As an Administrator, do I need to attain other information in order to determine if the account should be cleaned up?	Should their be an attempt to contact the owner? We need to email the owner We should create reports in Apigee or Google Analytics for this Anything else?
The Cleanup Process	As an Administrator, cleaning up an account should ...	I assume Disable the account Should we delete it? If we detect and account is unused Revoke the API Keys for the applications (if not already done so) If the account is inactive at UCSB, then Block the account in Drupal Send email to the account owner & support@developer Ensure only this email is sent and not any of the emails below Link to reenable account in Drupal If we detect that an application is unused Revoke the API Key for the application Revoke the API Access for each endpoint used by the application Send email to the account owner & support@developer Ensure only this email is sent and not any of the emails below Link to reenable API Key Update the API Access Request back to Application Retired state If we detect that an API is unused by an application Revoke access to the API for the application Send email to the account owner & support@developer Update the API Access Request to no longer include those APIs

User Interaction, Design & Architecture

Examples and References

Questions

Below is a list of questions to be addressed as a result of this requirements document:

Question	Outcome	Decision Date

Browser not supported