1398206 - Please disable LDAP access for mfilip@mozilla.com

Status: RESOLVED WORKSFORME

(Infrastructure & Operations :: Infrastructure: LDAP, task)

Description

[Chris Cooper [:coop] (he/him)]

Monica is one of the sheriffing contractor team leads from SoftVision, but she'll be out on maternity leave for a while (months), so we might as well disable her LDAP access until she returns. Sheriff accounts have elevated access which is why I want to be cautious here.

Comment 1

[Justin Dow [:jabba]]

I would suggest that we just remove the sheriff access, and any other privileged group memberships, rather than disabling the account. If we disable the account, it will cause e-mail for her to bounce, among other things and will be quite a manual process to undo later. Let me know how you'd like to proceed.

Comment 2

[Chris Cooper [:coop] (he/him)]

(In reply to Justin Dow [:jabba] from comment #1)
> I would suggest that we just remove the sheriff access, and any other
> privileged group memberships, rather than disabling the account. If we
> disable the account, it will cause e-mail for her to bounce, among other
> things and will be quite a manual process to undo later. Let me know how
> you'd like to proceed.

I'm fine with just stripping the access bits as you suggest.

Comment 3

[Justin Dow [:jabba]]

The user is not currently in vpn_sheriff or any other groups that the most basic unprivileged employee would be in, except for scm_level_1. Should I remove scm_level_1?

Comment 4

[Chris Cooper [:coop] (he/him)]

(In reply to Justin Dow [:jabba] from comment #3)
> The user is not currently in vpn_sheriff or any other groups that the most
> basic unprivileged employee would be in, except for scm_level_1. Should I
> remove scm_level_1?

Hrmmm, I guess maybe she was already on mat leave when that request went through.

We can leave scm_level_1. That's low impact.