During the course of the past week, I’ve been busy transitioning control over various systems to other staff members. During the course of this we’ve been updating passwords and performing a quick audit for old user accounts.
In traditional Enterprise applications, we just disabled the old users in Active Directory (our LDAP system). That secures all our internal systems in one quick stroke. Even if we don’t remove them from individual applications, those systems are now secure.
Then we turned our attention to our external solutions (we have several). As they aren’t typically tied to our Active Directory, so disabling their network account wasn’t enough. We had to go into those systems and deactivate them one at a time.
Let’s look at some of the problems we encountered:
- Deactivating an account doesn’t always release the license. As you may pay by user in the cloud, that matters. This requires a deletion (which I’m loath to do)
- When you delete a user, in some systems you lose the audit logs.
- Some systems won’t let you delete a user as long as they own or are assigned anything. These same systems don’t let you transfer that ownership in bulk.
- In at least one system, if you deactivate a user, anything they own is immediately hidden from users. Of course, there isn’t a way to transfer ownership in the system in question. I’m afraid of what happens if we delete a user.
If you are going to build a system to be used by organizations and not individuals, you need to account for staff turnover. Ownership transfer, deactivating accounts to free up licenses, and bulk actions are critical features.
I remember a demo I saw for a Content Management System (CMS) back in the 2000 timeframe. The ability to transfer the ownership and rights from one user to another in a single action seemed extraneous to the point of the demo.
That feature doesn’t feel so extraneous right now.