[ADR] Auto removal of Groups from all storage ACL List once associated ACL group is deleted from entitlement sevice

Status

• Proposed
• Trialing
• Under review
• Approved
• Retired

Context & Scope

This ADR is about the auto removal of groups from the storage record ACL list when the associated group is deleted from entitlement.

Current Behavior

• Currently, its possible to delete a group using entitlement delete API without validation of group association with any storage records ACL association.
• Once the group is deleted then the group associated with storage records under the ACL list is not removed.
• Deleted groups still exist under the storage record ACL list which is not in existence though Access to the record fails as a group is not present in entitlement.

Proposed Requirements

Delete Groups API should:

• Not delete the Group if there are records that have Single OWNER as the Group being deleted. This is handled via #141.
• When it will not leave any record in inaccessible state, the group can be deleted. Once the group is deleted from the entitlement service, it shall be automatically removed from the storage record acl list.
• As this operation is a costly affair to go through each record and delete the associated group from acl list it can be done asynchronously.
• Entitlement service can notify about the group deleted and subscribers can asynchronously take care of clean ups.

Trade-off Analysis

These clean-ups are necessary to stop having records with unnecessary groups having either owner or viewer rights to a storage record.

Challenges

• Cleaning up the ACL list from each record might take significant time and resources but can be handled asynchronously.