Skip to content

[ADR] Auto Removal of users from other groups once member is deleted from Elementary data partition groups ( 'users' group )

Status

  • Proposed
  • Trialing
  • Under review
  • Approved
  • Retired

Context & Scope

This ADR is about the auto removal of a member from other groups once it is deleted from the elementary group for the partition in entitlement service.

Current Behavior

  • Currently, each user to have access to data belonging to a partition needs to be a member of the Elementary data partition group, please read the doc here 'https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/blob/master/docs/docs/index.md'
  • Once the member is deleted from the 'users' group then it loses data access and all the roles assigned irrespective of whichever groups it belongs to.
  • Currently, once a member is deleted from the elementary group remains as a member in the defined role across groups which is of no use. Ideally, the removal of a member from the Elementary user group is a permanent removal of access from the partition and shall be removed from any groups it belongs to.

Proposed Requirements

Deletion of a member from the Elementary group shall follow the steps:

  • Once the member is removed successfully from the user group then shall be automatically removed from other groups irrespective of roles.
  • This activity can happen in the background when a member is removed from the user group and shall be implemented in the entitlement service.

Trade-off Analysis

These clean-ups are necessary to stop having groups with unnecessary members having either owner or viewer rights to a storage record.

There could be a possibility that this was designed and thought to keep like this in entitlement service. As per our understanding if we want to remove a member temporarily from access to data in a particular data partition we can just remove it from the user group and let other groups as it is for the user membership. In the future, if needed we can add this user just to the user group and let them have membership in an earlier form. This needs to be clarified if this was the purpose behind not removing members automatically from other groups.

Challenges

  • Removing a member from the Elementary group and auto-cleaning other groups would lose all the membership for that user and if user required to be added in future then all association needs to be created again.
Edited by Deepa Kumari