Closed
Bug 860498
Opened 11 years ago
Closed 3 years ago
Remove former employees from the staff group
Categories
(Participation Infrastructure :: Phonebook, defect)
Participation Infrastructure
Phonebook
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: williamr, Unassigned)
References
Details
(Whiteboard: [kb=1123740] [Triage 2015-04-17] [iam-ktlo])
There should be an automated process for removing Mozilla paid staff from the 'staff' group once they are no longer a Mozilla employee. This could be worked on as part of our database cleanup tasks (bug 859934), or it could be worked on separately. This bug also relates to determining if a Mozillian is really a paid staff member (bug 764168). As a way of recognizing these Mozillians as being former staff, we could add a user to an 'alumni' group at the same time we remove them from the 'staff' group. The 'alumni' group could also have restricted membership (bug 838282). User story: As a Mozilla paid staff member, I want to be automatically removed from the 'staff' group when I end my Mozilla employment so that I am no longer a member of the group. Acceptance criteria: Once a Mozilla staff member
Updated•11 years ago
|
Whiteboard: [kb=1123740]
Comment 1•11 years ago
|
||
FWIW, here is the staff/bugmail reconciliation that BMO runs: http://bzr.mozilla.org/bmo/4.2/view/head:/contrib/moco-ldap-check.pl. A similar task in python, scheduled in celery (I suggest every 12 hrs), would probably be sufficient. It should compare the entire list of staff in ldap to the entire list of people in the staff group and adjust the staff group accordingly.
Comment 2•11 years ago
|
||
:peterbe has built a service layer in front of the LDAP that should help us close this bug. It has been reviewed and is waiting on IT deployment. Once it's deployed let's build a periodic job to compare mozillians data to the staff group in LDAP.
Depends on: 780317
Comment 3•11 years ago
|
||
Questions: 1) The code referenced in comment 2 allows us to make LDAP requests for particular users. If we use that, will we make a periodic request ("is this person in the LDAP staff group") for every vouched user in Mozillians? Or will we only do it for a subset of vouched users? 2) If we only do it for a subset, what attribute will trigger the query? Are we OK with the fact that this puts control of the group membership in the hands of individual users, and therefore virtually guarantees that the Mozillians.org staff group will not contain all Mozillians.org users who are staff? 3) Would it be better to just create our own integration, like the one in comment 1? That way we could say, "give us all the folks in the LDAP staff group" and we could do our own heuristics -- email addresses, full names, etc.
Flags: needinfo?(williamr)
Flags: needinfo?(sancus)
Comment 4•11 years ago
|
||
1) We can make periodic requests, we can also make a request when a new account is created, and when someone adds/changes an email to their account. 2) We should only perform this check if you have an @mozilla.com registered with your account. As much as I would like to do some magic, I don't see how we can use any other attributes for this. Using name creates a massive security hole, because names are neither unique nor are they verified in any way. Also, at some point we are going to retire the phonebook and Mozillians will become the canonical "phone book". When we do that, we'll probably have automated account creation for new staff members triggered by adding them to LDAP or workday in some way, and I think it's OK if the staff group doesn't become 100% authoritative until that time.
Flags: needinfo?(sancus)
Comment 5•11 years ago
|
||
+1 to what sancus says. In any case it also a good to extend peterbe's solution to return users in group. I guess it will come handy at some point. Not a blocker though.
Reporter | ||
Comment 6•10 years ago
|
||
glob makes two suggestions that I think could be helpful 1. It's possible to be notified of when staff leave. The desktop team can do that, as they disable the LDAP accounts and have an exit checklist. 2. glob has an ldap diff script that he uses to update the staff list on Bugzilla. glob, could you share that script?
Flags: needinfo?(williamr) → needinfo?(glob)
(In reply to William Reynolds [:williamr] from comment #6) > glob makes two suggestions that I think could be helpful > > 1. It's possible to be notified of when staff leave. The desktop team can do > that, as they disable the LDAP accounts and have an exit checklist. ann ignacio may be able to help here; cc'ing. > 2. glob has an ldap diff script that he uses to update the staff list on > Bugzilla. glob, could you share that script? that would be the script referenced in comment 2 :)
Flags: needinfo?(glob)
Comment 8•10 years ago
|
||
William - When people leave the company, would you prefer to get a weekly, bi-weekly or monthly list?
Reporter | ||
Comment 9•10 years ago
|
||
Ann, I'm not sure yet. Ideally, this would be an automated process. Justin, is the script referenced in comment 2 a viable option? This bug isn't a high priority. The past week a few folks have curiously asked about having an accurate staff group, though their interest is simply for information, not API usage or permissions.
Flags: needinfo?(hoosteeno)
Comment 10•10 years ago
|
||
note that email aliases are not automatically stored in ldap, and it isn't possible to query zimbra directly for this information (see bug 663754). for example, i use glob@mozilla.com as my primary staff address (including mozillians), however this is only visible via ldap because i manually added it to the emailAlias attribute. you probably don't want to use my script directly, but the logic is trivial. grab a dump of ldap, serialise and store. the following day do the same and diff to pick up new and old entries. the mail attribute is automatically generated so that's easy to parse, however the bugzillaEmail and emailAlias fields are freetext and may require minimal manipulation to extract addresses. just make sure you search both o=com,dc=mozilla and o=org,dc=mozilla to catch moco and mofo.
Comment 11•10 years ago
|
||
* I don't think we want to manually reconcile these lists; that's exactly what computers are good at. Williamr, if you want to do it, great, and you can decide how often. * I agree that :glob's script (see comment 2) is not a drop-in solution for us, but it is a proof that this can be solved, and should guide our own solution. We haven't prioritized this work on current product roadmaps, but if someone wants to work on it please reach out.
Flags: needinfo?(hoosteeno)
Reporter | ||
Comment 12•10 years ago
|
||
(In reply to Justin Crawford [:hoosteeno] from comment #11) > * I don't think we want to manually reconcile these lists; that's exactly > what computers are good at. Williamr, if you want to do it, great, and you > can decide how often. This task is best automated as you said. I'll skip the manual reconciliation :) > We haven't prioritized this work on current product roadmaps, but if someone > wants to work on it please reach out. Agreed - stop by #commtools on IRC if you want to work on this.
Comment 13•9 years ago
|
||
Should be resolved with Workday integration.
Blocks: 1155650
Whiteboard: [kb=1123740] → [kb=1123740] [Triage 2015-04-17]
Comment 14•3 years ago
|
||
Closing this due to mozillians being supplanted by CIS/people.mozilla.org, which contains workday integration.
If there are user issues then that's CIS' issue and can be tracked in Jira.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
Whiteboard: [kb=1123740] [Triage 2015-04-17] → [kb=1123740] [Triage 2015-04-17] [iam-ktlo]
You need to log in
before you can comment on or make changes to this bug.
Description
•