[ADR] Group deletion validation requirement in enititlement service

Status

• Proposed
• Trialing
• Under review
• Approved
• Retired

Context & Scope

This ADR is about the Validation of group's usage during its Group deletion API.

Current Behavior

• Currently, only validation in place is the access rights of the caller, the caller should be member of Ops and Admin and should be OWNER of the group.
• There is no validation that the group is being used or not. Due to this, it is possible to delete a group that is being used by records, and thus it renders the record in an unusable state.
• Clients have been reporting Ghost records where the owner group of that record was deleted from the entitlement service and even the viewer group. Post deletion of associated groups(ACL) to a record is having no access for view/modification.

Proposed Requirements

Delete Groups API should:

• Check which data records are referring to this Entitlement group
• It should fail when there is a record that is referring to this ACL as a SINGLE OWNER. Failure response should list the records referring to this ACL(good to have).
• This is required to not leave the record in a ghost state, where it cannot be accessed by anyone since the single OWNER group is deleted.

Complementary feature to support cleanup of ACLS from records:

1. When it is safe to delete the group, i.e. there are no records with this group as SINGLE Owner. Entitlements service can delete the group and publish an event/notifications for the listener services to clean up storage records. This is handled separately via: #161.

Trade-off Analysis

These validations are necessary to stop having records with no access either for ownership.

Challenges

• Checking for ACLs in so many records: We need a workable solution here, perhaps a search query by legal tag and number of onwers.