Bug 1199530

Summary: [RFE] Provide user lifecycle managment capabilities
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: medium    
Version: 7.0CC: chorn, jcholast, mbasti, pvoborni, rcritten, tbabej, tbordaz
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-5.el7 Doc Type: Release Note
Doc Text:
User life-cycle management capabilities The user life-cycle management gives the administrator a greater degree of control over activating and deactivating user accounts. The administrator can now provision new user accounts by adding them to a stage area without fully activating them, activate inactive user accounts to make them fully operational, or deactivate user accounts without completely deleting them from the database. User life-cycle management capabilities bring significant benefits to large IdM deployments. Note that users can be added to the stage area also directly from a standard LDAP client, using direct LDAP operations. Previously, IdM only supported managing users using IdM command-line tools or the IdM web UI.
 Story Points: ---
Clone Of:
: 1304375 (view as bug list) Environment:
Last Closed: 2015-11-19 12:01:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1181710, 1304375    

Description Martin Kosek 2015-03-06 15:03:36 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3813

Right now IPA allows only to enable/disable users. But disabled users will show up in the searches.

It would make sense to have a more mature user lifecycle management. 
Here is an example of what we might want to consider implementing.

When HR team assigns a new account in HR system, the initial user object is stored is provisioned into IPA but it is created in a staging area for example subtree called 'Pending'.  Once the account has been created with uid/gid/username calculated, it is
'moved' to ou=Users.  When the user terminates, the user object is moved
to say 'Deleted' and is out of the view of normal systems doing user lookups.  The object is stored in 'Deleted' until the user returns back (contractor for example). Once the user returns, their object is moved back to the main tree preserving his uid/gid/username/etc attributes. 

Group membership should probably not be preserved. However we might want to allow automembership rules trigger on the transfer from Pending to Normal rather than on creation (something to think about).

The account creation/termination process is also SOX-controlled, so we
will need to make sure we have sufficient access control rules and permissions defined regarding who can create, remove or move accounts around.
Comment 1 Martin Kosek 2015-05-18 07:51:40 UTC 
The first version of the feature pushed upstream (CLI only):

master:
https://fedorahosted.org/freeipa/changeset/f2e986e01f973a95e95608e1853dca35dcffeb58
https://fedorahosted.org/freeipa/changeset/0ebcc5b9222efcd4b9814a2948f266abbf71fdfc
https://fedorahosted.org/freeipa/changeset/699dd771022227644c631dcc17839dfe04077a8e
https://fedorahosted.org/freeipa/changeset/4ef32967f76965e622780b9d6171b3e8896ec348
https://fedorahosted.org/freeipa/changeset/27443261476a25454093e09c4c7bf5d69e9cca41
https://fedorahosted.org/freeipa/changeset/0b644ebc96215456f0d10cbe94dcd78a9e9f2598
https://fedorahosted.org/freeipa/changeset/c9e1ad0dbc28c6c5b0e7381144a969f6b77d504d
https://fedorahosted.org/freeipa/changeset/51937cc571ec8ea5e782b8dcd45f0ec5fe0f310b
https://fedorahosted.org/freeipa/changeset/273fd057a3be797a05d6c7f34fd619d3dfa09c37
Comment 2 Petr Vobornik 2015-05-20 12:11:36 UTC 
Web UI patches pushed upstream:

master:
https://fedorahosted.org/freeipa/changeset/a4c0f780b727cc92a9b6fa21e42906a80f4f7d42
https://fedorahosted.org/freeipa/changeset/69bc4f4955c8ee0bdbeea5ca340a003c128e9a58
https://fedorahosted.org/freeipa/changeset/c352616ac9fbb1685adcbe8834143b24f6e8b5d4
https://fedorahosted.org/freeipa/changeset/de374a0d3a1147a650b63bb5c267a857fba015dd
https://fedorahosted.org/freeipa/changeset/ae62bd6914dcdd24667dc1ff149413d9a7adc017
https://fedorahosted.org/freeipa/changeset/2be8eeb04f08cb51a25651794a2f356a2a7b499e
https://fedorahosted.org/freeipa/changeset/6bcb90ef36f7400e9f1eb197421134d5650c39fe
https://fedorahosted.org/freeipa/changeset/8f6013952061099fff4ec9b8784fc1ee91828c4e
https://fedorahosted.org/freeipa/changeset/6a2b486e500b62abe7ef14e4f34c945726f3256b
https://fedorahosted.org/freeipa/changeset/17aafc36b4c94cffa8427c8f4b2aef2292bba40d
https://fedorahosted.org/freeipa/changeset/3c2a8b408ec1af284af0ebe218832f3fab85c008
https://fedorahosted.org/freeipa/changeset/435f9331c633296d72160de1e25bbdc77a81c75e
https://fedorahosted.org/freeipa/changeset/8d8b56d135ad05fbfee35fb88618ce8c5498fd68
https://fedorahosted.org/freeipa/changeset/cae2df274a9ba92a4fc8db0259811c1755c648e6
https://fedorahosted.org/freeipa/changeset/bf7ee6eeecd71ffeb4740a440fd237a6fac4793f
https://fedorahosted.org/freeipa/changeset/14525598f97f57d165682247ef7f5cf63f810be5
https://fedorahosted.org/freeipa/changeset/64e87d5e34f646f0de5b0b310ccaf02cbb119a2b
https://fedorahosted.org/freeipa/changeset/52647285f6d286c079090b5bff21f5e423076897
https://fedorahosted.org/freeipa/changeset/99d282d38d0c847ebb544140edd49d6572f06cb0
https://fedorahosted.org/freeipa/changeset/7ddcff3ef71a1d4254d291bdab99075f2cd8f205
Comment 3 Petr Vobornik 2015-05-22 13:44:39 UTC 
Uid uniqueness fixed upstream.

master:
https://fedorahosted.org/freeipa/changeset/98e4c6d6de130a0e94cd1705acc5418bdbda1eb1
Comment 4 Jan Cholasta 2015-06-02 13:51:21 UTC 
master:
https://fedorahosted.org/freeipa/changeset/943c5391221fdeb6520e60d2f5b04ce41b085169
Comment 5 Petr Vobornik 2015-06-02 16:35:52 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5040
Comment 6 Petr Vobornik 2015-06-02 16:38:00 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5041
Comment 7 Petr Vobornik 2015-06-02 16:41:29 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5038
Comment 8 Petr Vobornik 2015-06-15 14:22:22 UTC 
master:
https://fedorahosted.org/freeipa/changeset/69607250b9762a6c9b657dd31653b03d54a7b411
Comment 9 Petr Vobornik 2015-06-18 13:54:26 UTC 
master:
https://fedorahosted.org/freeipa/changeset/1d608251383e4842b89c941a76dbd13529558f42
https://fedorahosted.org/freeipa/changeset/baca55c665b2bdfa5cb9a6ad88daeccef0500999
Comment 10 Tomas Babej 2015-06-29 11:51:32 UTC 
master:
https://fedorahosted.org/freeipa/changeset/ffd6b039a755016c3de22a11fec037eca7180a79
Comment 11 Martin Kosek 2015-06-30 10:48:46 UTC 
The functionality is there. From now on, the feature is in bugfixing mode upstream.
Comment 13 Jan Cholasta 2015-07-15 07:09:46 UTC 
Ticket 5038 fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c144ea6feff2a712e4862f4e3c2fa882309da5b8
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/49802bff910bf9ba9eb6fda7e0f255e0a688611f
Comment 15 Petr Vobornik 2015-07-30 11:30:30 UTC 
Related to #5041:

master:
    cea52ce186d9341f126ef6a9ac5f0287c4f16ada ULC: Fix stageused-add --from-delete command
ipa-4-2:
    10e43f883d361ee1c376e1a1e06884cd9f8415ca ULC: Fix stageused-add --from-delete command 

additional fix will follow
Comment 16 Jan Cholasta 2015-08-10 07:50:09 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5145
Comment 17 Jan Cholasta 2015-08-11 08:13:52 UTC 
Unlinking ticket 5041, as it has not been fixed upstream yet and is not critical for this RFE. The ticket has been cloned to bug 1252334.
Comment 19 Martin Bašti 2015-08-18 17:36:32 UTC 
Ticket 5207 fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/65b8c622070f61ad01a2a1706564911620b022bc
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/6005dfb5857af5ae46efd2984b06a9a35efb7917
Comment 21 Namita Soman 2015-09-22 01:11:08 UTC 
Following testplan at - http://www.freeipa.org/page/V4/User_Life-Cycle_Management/tests :

 +-----------------------------[RPMs & OS: [RedHat - x86_64]-----------------------------+
|       ipa-admintools-4.2.0-11.el7.x86_64
|       ipa-client-4.2.0-11.el7.x86_64
|       ipa-server-4.2.0-11.el7.x86_64
|       ipa-server-dns-4.2.0-11.el7.x86_64
|       ipa-tests-ipa-server-rhel71-quickinstall-20150113103102-0.noarch
|       ipa-tests-ipa-server-rhel72-ipa-integration-testing-ksiddiqu-20150907203547-0.noarch
|       ipa-tests-ipa-server-rhel72-shared-20150803150440-0.noarch
|       sssd-ipa-1.13.0-29.el7.x86_64
------------------------------------------------------------------------------------------

 +-----------------------------------------------------------------------------------------+
     Test:[/ipa-server/rhel72/ipa-integration-testing/root]: [ Pass(81/81): 100% ] 
 +-----------------------------------------------------------------------------------------+
:: [   PASS   ]   ipa-integration-testing-startup: installing ipa-tests and other required packages
:: [   PASS   ]   ipa-integration-testing-master: test_xmlrpc_stageuser_plugin_py
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestNonexistentStagedUser-test_retrieve_nonexistent
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestNonexistentStagedUser-test_delete_nonexistent
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestNonexistentStagedUser-test_update_nonexistent
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestNonexistentStagedUser-test_find_nonexistent
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestNonexistentStagedUser-test_activate_nonexistent
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_duplicate
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_activate
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_show_stageduser
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_showall_stageduser
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser20-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser21-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser22-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser23-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser24-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser25-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser26-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser27-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser28-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser29-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser210-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser211-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser212-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser213-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser214-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser215-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser216-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser217-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser218-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser219-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser220-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser221-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser222-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser223-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser224-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser225-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser226-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_delete_stageduser
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_find_stageduser
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_findall_stageduser
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_update_stageduser
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_update_uid
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_update_gid
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_update_uid_gid
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestCreateInvalidAttributes-test_create_invalid_uid
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestCreateInvalidAttributes-test_create_long_uid
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestCreateInvalidAttributes-test_create_uid_string
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestCreateInvalidAttributes-test_create_gid_string
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestCreateInvalidAttributes-test_create_uid_negative
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestCreateInvalidAttributes-test_create_gid_negative
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestCreateInvalidAttributes-test_create_krbprincipal_bad_realm
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestCreateInvalidAttributes-test_create_krbprincipal_malformed
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestUpdateInvalidAttributes-test_update_uid_string
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestUpdateInvalidAttributes-test_update_gid_string
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestUpdateInvalidAttributes-test_update_uid_negative
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestUpdateInvalidAttributes-test_update_gid_negative
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestActive-test_delete
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestActive-test_delete_nopreserve
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestActive-test_delete_preserve_nopreserve
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestActive-test_delete_preserve
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestPreserved-test_search_preserved_invalid
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestPreserved-test_search_preserved_valid
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestPreserved-test_search_preserved_valid_all
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestPreserved-test_retrieve_preserved
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestPreserved-test_permanently_delete_preserved_user
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestPreserved-test_enable_preserved
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestPreserved-test_reactivate_preserved
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestPreserved-test_staged_from_preserved
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestManagers-test_staged_manager
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestManagers-test_preserved_manager
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestManagers-test_delete_manager_preserved
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestDuplicates-test_active_same_as_preserved
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestDuplicates-test_staged_same_as_active
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestDuplicates-test_staged_same_as_preserved
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestDuplicates-test_active_same_as_staged
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestGroups-test_stageduser_membership
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestGroups-test_remove_preserved_from_group
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestGroups-test_preserveduser_membership
:: [   PASS   ]   ipa-integration-testing-cleanup: Destroying admin credentials.
:: [   PASS   ]   /ipa-server/rhel72/ipa-integration-testing/root
Comment 22 errata-xmlrpc 2015-11-19 12:01:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html