Closed Bug 860498 Opened 11 years ago Closed 3 years ago

Remove former employees from the staff group

Categories

(Participation Infrastructure :: Phonebook, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: williamr, Unassigned)

References

Details

(Whiteboard: [kb=1123740] [Triage 2015-04-17] [iam-ktlo])

There should be an automated process for removing Mozilla paid staff from the 'staff' group once they are no longer a Mozilla employee. This could be worked on as part of our database cleanup tasks (bug 859934), or it could be worked on separately. This bug also relates to determining if a Mozillian is really a paid staff member (bug 764168).

As a way of recognizing these Mozillians as being former staff, we could add a user to an 'alumni' group at the same time we remove them from the 'staff' group. The 'alumni' group could also have restricted membership (bug 838282). 

User story:
As a Mozilla paid staff member, I want to be automatically removed from the 'staff' group when I end my Mozilla employment so that I am no longer a member of the group.

Acceptance criteria:
Once a Mozilla staff member
Whiteboard: [kb=1123740]
FWIW, here is the staff/bugmail reconciliation that BMO runs: http://bzr.mozilla.org/bmo/4.2/view/head:/contrib/moco-ldap-check.pl. A similar task in python, scheduled in celery (I suggest every 12 hrs), would probably be sufficient. It should compare the entire list of staff in ldap to the entire list of people in the staff group and adjust the staff group accordingly.
:peterbe has built a service layer in front of the LDAP that should help us close this bug. It has been reviewed and is waiting on IT deployment. Once it's deployed let's build a periodic job to compare mozillians data to the staff group in LDAP.
Depends on: 780317
Questions:

1) The code referenced in comment 2 allows us to make LDAP requests for particular users. If we use that, will we make a periodic request ("is this person in the LDAP staff group") for every vouched user in Mozillians? Or will we only do it for a subset of vouched users?
2) If we only do it for a subset, what attribute will trigger the query? Are we OK with the fact that this puts control of the group membership in the hands of individual users, and therefore virtually guarantees that the Mozillians.org staff group will not contain all Mozillians.org users who are staff?
3) Would it be better to just create our own integration, like the one in comment 1? That way we could say, "give us all the folks in the LDAP staff group" and we could do our own heuristics -- email addresses, full names, etc.
Flags: needinfo?(williamr)
Flags: needinfo?(sancus)
1) We can make periodic requests, we can also make a request when a new account is created, and when someone adds/changes an email to their account.

2) We should only perform this check if you have an @mozilla.com registered with your account. As much as I would like to do some magic, I don't see how we can use any other attributes for this. Using name creates a massive security hole, because names are neither unique nor are they verified in any way.

Also, at some point we are going to retire the phonebook and Mozillians will become the canonical "phone book". When we do that, we'll probably have automated account creation for new staff members triggered by adding them to LDAP or workday in some way, and I think it's OK if the staff group doesn't become 100% authoritative until that time.
Flags: needinfo?(sancus)
+1 to what sancus says.

In any case it also a good to extend peterbe's solution to return users in group. I guess it will come handy at some point. Not a blocker though.
glob makes two suggestions that I think could be helpful

1. It's possible to be notified of when staff leave. The desktop team can do that, as they disable the LDAP accounts and have an exit checklist.

2. glob has an ldap diff script that he uses to update the staff list on Bugzilla. glob, could you share that script?
Flags: needinfo?(williamr) → needinfo?(glob)
(In reply to William Reynolds [:williamr] from comment #6)
> glob makes two suggestions that I think could be helpful
> 
> 1. It's possible to be notified of when staff leave. The desktop team can do
> that, as they disable the LDAP accounts and have an exit checklist.

ann ignacio may be able to help here; cc'ing.

> 2. glob has an ldap diff script that he uses to update the staff list on
> Bugzilla. glob, could you share that script?

that would be the script referenced in comment 2 :)
Flags: needinfo?(glob)
William - When people leave the company, would you prefer to get a weekly, bi-weekly or monthly list?
Ann, I'm not sure yet. Ideally, this would be an automated process.

Justin, is the script referenced in comment 2 a viable option?

This bug isn't a high priority. The past week a few folks have curiously asked about having an accurate staff group, though their interest is simply for information, not API usage or permissions.
Flags: needinfo?(hoosteeno)
note that email aliases are not automatically stored in ldap, and it isn't possible to query zimbra directly for this information (see bug 663754).

for example, i use glob@mozilla.com as my primary staff address (including mozillians), however this is only visible via ldap because i manually added it to the emailAlias attribute.


you probably don't want to use my script directly, but the logic is trivial.  grab a dump of ldap, serialise and store.  the following day do the same and diff to pick up new and old entries.  the mail attribute is automatically generated so that's easy to parse, however the bugzillaEmail and emailAlias fields are freetext and may require minimal manipulation to extract addresses.  just make sure you search both o=com,dc=mozilla and o=org,dc=mozilla to catch moco and mofo.
* I don't think we want to manually reconcile these lists; that's exactly what computers are good at. Williamr, if you want to do it, great, and you can decide how often.

* I agree that :glob's script (see comment 2) is not a drop-in solution for us, but it is a proof that this can be solved, and should guide our own solution.

We haven't prioritized this work on current product roadmaps, but if someone wants to work on it please reach out.
Flags: needinfo?(hoosteeno)
(In reply to Justin Crawford [:hoosteeno] from comment #11)
> * I don't think we want to manually reconcile these lists; that's exactly
> what computers are good at. Williamr, if you want to do it, great, and you
> can decide how often.

This task is best automated as you said. I'll skip the manual reconciliation :)

> We haven't prioritized this work on current product roadmaps, but if someone
> wants to work on it please reach out.

Agreed - stop by #commtools on IRC if you want to work on this.
Should be resolved with Workday integration.
Blocks: 1155650
Whiteboard: [kb=1123740] → [kb=1123740] [Triage 2015-04-17]

Closing this due to mozillians being supplanted by CIS/people.mozilla.org, which contains workday integration.
If there are user issues then that's CIS' issue and can be tracked in Jira.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
Whiteboard: [kb=1123740] [Triage 2015-04-17] → [kb=1123740] [Triage 2015-04-17] [iam-ktlo]
You need to log in before you can comment on or make changes to this bug.