Open DS-INRA opened 1 year ago
Just a heads up that you cannot delete/remove a user that interacted with the system. Please see:
Also, you might find this API helpful for identifying when a user last logged in or used the API:
Gitlab is using a Ghost User for this scenario. All activities will be attached to this ghost user before the account is deleted.
In Gitlab this is also tied to license costs, which is not an issue for us. But maybe one could eradicate the personal data? This would be a step towards GPDR compliance.
I will try to propose a design document for the Ghost User scenario which seems to me the best compromise to eradicate the personal data without loosing the guestbooks etc.
Here is the (currently empty) draft: https://docs.google.com/document/d/1dk5hAlAwFwh9ost2xteTe5LMy5jRQ-3-N_zEeXLLaVc/edit?usp=sharing
Overview of the Feature Request As an instance administrator I can set a duration after which, inactive user accounts will be removed In order to avoid preserving old accounts and personal information
What kind of user is the feature intended for? (Example users roles: API User, Curator, Depositor, Guest, Superuser, Sysadmin) used by Sysadmin : configuration of the Dataverse instance, affecting all types user accounts
What inspired the request? GDPR declaration for the entrepot.recherche.data.gouv.fr instance
Any brand new behavior do you want to add to Dataverse? Allow instance administrators to set a duration e.g. InactiveUsersPreservationDuration (if the duration is not set, then inactive user accounts are always preserved, as currently), user accounts that didn't log in for this duration are sent a notification informing them that if they don't log in within one month (maybe this would also have to be configurable), the user account will be deleted.