User Account Management: Inactive Accounts

[dmfezzareed]

💡 Summary

I would like to propose a systematic check for 30 days of Crossfeed user account logon inactivity, notify the user, if account reaches 45 days of inactivity, the password will be reset (to essentially deactivate it by requiring the data consumer to take action to reset their password should they wish to resume use). Accounts reaching 90 days of inactivity will be removed.

We should also consider adding a new feature to set an expiration date on an account for short-term hires, contractors, etc to minimize manual overhead. When the account expires, it doesn't have to be removed, merely reset the password or create a way to lock the account so that manual intervention is required to reenable the account.

Note: I propose 90 days before removing an account entirely as some partner use-cases do not require accessing Crossfeed routinely or frequently, for example, Election personnel. Along those same lines, it might be worth investigating the election temporary hiring practices for requesting access to being on a specific date and end on a specific date.

Motivation and context

Why does this work belong in this project?

This would be useful because...

Implementation notes

Please provide details for implementation, such as:

• an example for how this would be used
• what this would look like
• how this would act
• any related work, including links to related issues

Acceptance criteria

How do we know when this work is done?

• [ ] Criterion

[dmfezzareed]

@schmelz21 I created this idea issue to get it logged so we don't lose track of what we discussed today. cc @stewartl97 , @rapidray12

[schmelz21]

https://github.com/cisagov/crossfeed/pull/1532 - Noting a PR pre-exsted. Closing out that PR as OBE