Account Cleanup Project

Project TitleAccount Cleanup
Target Release
Epic
Document Status
DRAFT
Document Owner

Document Sign-Off
Subject Matter Expert(s)
Technical Expert(s)

Background & Business Value

On an annual basis we would like to review the accounts we have in the system in order to remove accounts that should no longer be active and reduce our security risk profile. To do this we will want to check what accounts are not in active use or their owners are no longer affiliated with the University.

Goals

  • Identity accounts which are no longer actively used
    • Scenario 1: In general the API Key is not being used
    • Scenario 2: The API Key is being used, but it has endpoints it's approved for but it's not using
    • We should consider Personal Accounts as different from Functional Accounts
  • Identify account associated with people/groups no longer affiliated with the University
  • Determine if their account should be removed or deactivated
    • Determine a plan of action to take for these accounts

Assumptions

Out of Scope

Requirements

Ticket(s)TitleUser StoryPriorityNotes

Account No Longer in UseAs an Administrator, I would like a report that shows if an account has not been used for over X weeks/months.
  • What is the time period?
    • Personal Accounts
      • Inactivity for three months on an endpoint is considered inactive
    • Functional Accounts
      • Inactivity for a month on an endpoint is considered inactive
    • If all endpoints are inactive then the API Key should be considered inactive
  • Where should we retrieve this data from?

No Longer Associated with the University - Personal AccountsAs an Administrator, I would like a report that shows if a person (email address) is no longer associated with the University.
  • Where to get this information?
    • LDAP?
    • Can we create an API for it?
    • Possible Campus Identity or SA Identity
  • We need to figure out how to determine if they have separated

No Longer Associated with the University - Functional AccountsAs an Administrator, I would like a report that shows if a functional account is no longer in use.
  • If all the applications associated with a functional account have been revoked/deactived, then the functional account should be considered inactive.

Extra Criteria for Determining if an account should be cleaned upAs an Administrator, do I need to attain other information in order to determine if the account should be cleaned up?
  • Should their be an attempt to contact the owner?
    • We need to email the owner
    • We should create reports in Apigee or Google Analytics for this
  • Anything else?

The Cleanup ProcessAs an Administrator, cleaning up an account should ...
  • I assume Disable the account
  • Should we delete it?


  • If we detect and account is unused
    • Revoke the API Keys for the applications (if not already done so)
    • If the account is inactive at UCSB, then Block the account in Drupal
    • Send email to the account owner & support@developer
      • Ensure only this email is sent and not any of the emails below
      • Link to reenable account in Drupal
  • If we detect that an application is unused 
    • Revoke the API Key for the application
      • Revoke the API Access for each endpoint used by the application
    • Send email to the account owner & support@developer
      • Ensure only this email is sent and not any of the emails below
      • Link to reenable API Key
    • Update the API Access Request back to Application Retired state
  • If we detect that an API is unused by an application
    • Revoke access to the API for the application
    • Send email to the account owner & support@developer
    • Update the API Access Request to no longer include those APIs







User Interaction, Design & Architecture

Examples and References

Questions

Below is a list of questions to be addressed as a result of this requirements document:

QuestionOutcomeDecision Date