RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1199530 - [RFE] Provide user lifecycle managment capabilities
Summary: [RFE] Provide user lifecycle managment capabilities
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On:
Blocks: 1181710 1304375
TreeView+ depends on / blocked
 
Reported: 2015-03-06 15:03 UTC by Martin Kosek
Modified: 2019-10-10 09:40 UTC (History)
7 users (show)

Fixed In Version: ipa-4.2.0-5.el7
Doc Type: Release Note
Doc Text:
User life-cycle management capabilities The user life-cycle management gives the administrator a greater degree of control over activating and deactivating user accounts. The administrator can now provision new user accounts by adding them to a stage area without fully activating them, activate inactive user accounts to make them fully operational, or deactivate user accounts without completely deleting them from the database. User life-cycle management capabilities bring significant benefits to large IdM deployments. Note that users can be added to the stage area also directly from a standard LDAP client, using direct LDAP operations. Previously, IdM only supported managing users using IdM command-line tools or the IdM web UI.
Clone Of:
: 1304375 (view as bug list)
Environment:
Last Closed: 2015-11-19 12:01:50 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2362 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2015-11-19 10:40:46 UTC

Description Martin Kosek 2015-03-06 15:03:36 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3813

Right now IPA allows only to enable/disable users. But disabled users will show up in the searches.

It would make sense to have a more mature user lifecycle management. 
Here is an example of what we might want to consider implementing.

When HR team assigns a new account in HR system, the initial user object is stored is provisioned into IPA but it is created in a staging area for example subtree called 'Pending'.  Once the account has been created with uid/gid/username calculated, it is
'moved' to ou=Users.  When the user terminates, the user object is moved
to say 'Deleted' and is out of the view of normal systems doing user lookups.  The object is stored in 'Deleted' until the user returns back (contractor for example). Once the user returns, their object is moved back to the main tree preserving his uid/gid/username/etc attributes. 

Group membership should probably not be preserved. However we might want to allow automembership rules trigger on the transfer from Pending to Normal rather than on creation (something to think about).

The account creation/termination process is also SOX-controlled, so we
will need to make sure we have sufficient access control rules and permissions defined regarding who can create, remove or move accounts around.

Comment 2 Petr Vobornik 2015-05-20 12:11:36 UTC
Web UI patches pushed upstream:

master:
https://fedorahosted.org/freeipa/changeset/a4c0f780b727cc92a9b6fa21e42906a80f4f7d42
https://fedorahosted.org/freeipa/changeset/69bc4f4955c8ee0bdbeea5ca340a003c128e9a58
https://fedorahosted.org/freeipa/changeset/c352616ac9fbb1685adcbe8834143b24f6e8b5d4
https://fedorahosted.org/freeipa/changeset/de374a0d3a1147a650b63bb5c267a857fba015dd
https://fedorahosted.org/freeipa/changeset/ae62bd6914dcdd24667dc1ff149413d9a7adc017
https://fedorahosted.org/freeipa/changeset/2be8eeb04f08cb51a25651794a2f356a2a7b499e
https://fedorahosted.org/freeipa/changeset/6bcb90ef36f7400e9f1eb197421134d5650c39fe
https://fedorahosted.org/freeipa/changeset/8f6013952061099fff4ec9b8784fc1ee91828c4e
https://fedorahosted.org/freeipa/changeset/6a2b486e500b62abe7ef14e4f34c945726f3256b
https://fedorahosted.org/freeipa/changeset/17aafc36b4c94cffa8427c8f4b2aef2292bba40d
https://fedorahosted.org/freeipa/changeset/3c2a8b408ec1af284af0ebe218832f3fab85c008
https://fedorahosted.org/freeipa/changeset/435f9331c633296d72160de1e25bbdc77a81c75e
https://fedorahosted.org/freeipa/changeset/8d8b56d135ad05fbfee35fb88618ce8c5498fd68
https://fedorahosted.org/freeipa/changeset/cae2df274a9ba92a4fc8db0259811c1755c648e6
https://fedorahosted.org/freeipa/changeset/bf7ee6eeecd71ffeb4740a440fd237a6fac4793f
https://fedorahosted.org/freeipa/changeset/14525598f97f57d165682247ef7f5cf63f810be5
https://fedorahosted.org/freeipa/changeset/64e87d5e34f646f0de5b0b310ccaf02cbb119a2b
https://fedorahosted.org/freeipa/changeset/52647285f6d286c079090b5bff21f5e423076897
https://fedorahosted.org/freeipa/changeset/99d282d38d0c847ebb544140edd49d6572f06cb0
https://fedorahosted.org/freeipa/changeset/7ddcff3ef71a1d4254d291bdab99075f2cd8f205

Comment 3 Petr Vobornik 2015-05-22 13:44:39 UTC
Uid uniqueness fixed upstream.

master:
https://fedorahosted.org/freeipa/changeset/98e4c6d6de130a0e94cd1705acc5418bdbda1eb1

Comment 5 Petr Vobornik 2015-06-02 16:35:52 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5040

Comment 6 Petr Vobornik 2015-06-02 16:38:00 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5041

Comment 7 Petr Vobornik 2015-06-02 16:41:29 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5038

Comment 11 Martin Kosek 2015-06-30 10:48:46 UTC
The functionality is there. From now on, the feature is in bugfixing mode upstream.

Comment 15 Petr Vobornik 2015-07-30 11:30:30 UTC
Related to #5041:

master:
    cea52ce186d9341f126ef6a9ac5f0287c4f16ada ULC: Fix stageused-add --from-delete command
ipa-4-2:
    10e43f883d361ee1c376e1a1e06884cd9f8415ca ULC: Fix stageused-add --from-delete command 

additional fix will follow

Comment 16 Jan Cholasta 2015-08-10 07:50:09 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5145

Comment 17 Jan Cholasta 2015-08-11 08:13:52 UTC
Unlinking ticket 5041, as it has not been fixed upstream yet and is not critical for this RFE. The ticket has been cloned to bug 1252334.

Comment 21 Namita Soman 2015-09-22 01:11:08 UTC
Following testplan at - http://www.freeipa.org/page/V4/User_Life-Cycle_Management/tests :

 +-----------------------------[RPMs & OS: [RedHat - x86_64]-----------------------------+
|       ipa-admintools-4.2.0-11.el7.x86_64
|       ipa-client-4.2.0-11.el7.x86_64
|       ipa-server-4.2.0-11.el7.x86_64
|       ipa-server-dns-4.2.0-11.el7.x86_64
|       ipa-tests-ipa-server-rhel71-quickinstall-20150113103102-0.noarch
|       ipa-tests-ipa-server-rhel72-ipa-integration-testing-ksiddiqu-20150907203547-0.noarch
|       ipa-tests-ipa-server-rhel72-shared-20150803150440-0.noarch
|       sssd-ipa-1.13.0-29.el7.x86_64
------------------------------------------------------------------------------------------

 +-----------------------------------------------------------------------------------------+
     Test:[/ipa-server/rhel72/ipa-integration-testing/root]: [ Pass(81/81): 100% ] 
 +-----------------------------------------------------------------------------------------+
:: [   PASS   ]   ipa-integration-testing-startup: installing ipa-tests and other required packages
:: [   PASS   ]   ipa-integration-testing-master: test_xmlrpc_stageuser_plugin_py
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestNonexistentStagedUser-test_retrieve_nonexistent
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestNonexistentStagedUser-test_delete_nonexistent
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestNonexistentStagedUser-test_update_nonexistent
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestNonexistentStagedUser-test_find_nonexistent
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestNonexistentStagedUser-test_activate_nonexistent
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_duplicate
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_activate
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_show_stageduser
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_showall_stageduser
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser20-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser21-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser22-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser23-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser24-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser25-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser26-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser27-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser28-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser29-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser210-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser211-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser212-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser213-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser214-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser215-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser216-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser217-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser218-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser219-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser220-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser221-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser222-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser223-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser224-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser225-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_create_attr-stageduser226-
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_delete_stageduser
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_find_stageduser
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_findall_stageduser
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_update_stageduser
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_update_uid
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_update_gid
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestStagedUser-test_update_uid_gid
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestCreateInvalidAttributes-test_create_invalid_uid
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestCreateInvalidAttributes-test_create_long_uid
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestCreateInvalidAttributes-test_create_uid_string
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestCreateInvalidAttributes-test_create_gid_string
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestCreateInvalidAttributes-test_create_uid_negative
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestCreateInvalidAttributes-test_create_gid_negative
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestCreateInvalidAttributes-test_create_krbprincipal_bad_realm
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestCreateInvalidAttributes-test_create_krbprincipal_malformed
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestUpdateInvalidAttributes-test_update_uid_string
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestUpdateInvalidAttributes-test_update_gid_string
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestUpdateInvalidAttributes-test_update_uid_negative
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestUpdateInvalidAttributes-test_update_gid_negative
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestActive-test_delete
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestActive-test_delete_nopreserve
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestActive-test_delete_preserve_nopreserve
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestActive-test_delete_preserve
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestPreserved-test_search_preserved_invalid
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestPreserved-test_search_preserved_valid
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestPreserved-test_search_preserved_valid_all
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestPreserved-test_retrieve_preserved
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestPreserved-test_permanently_delete_preserved_user
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestPreserved-test_enable_preserved
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestPreserved-test_reactivate_preserved
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestPreserved-test_staged_from_preserved
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestManagers-test_staged_manager
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestManagers-test_preserved_manager
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestManagers-test_delete_manager_preserved
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestDuplicates-test_active_same_as_preserved
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestDuplicates-test_staged_same_as_active
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestDuplicates-test_staged_same_as_preserved
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestDuplicates-test_active_same_as_staged
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestGroups-test_stageduser_membership
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestGroups-test_remove_preserved_from_group
:: [   PASS   ]   test_xmlrpc-test_stageuser_plugin-TestGroups-test_preserveduser_membership
:: [   PASS   ]   ipa-integration-testing-cleanup: Destroying admin credentials.
:: [   PASS   ]   /ipa-server/rhel72/ipa-integration-testing/root

Comment 22 errata-xmlrpc 2015-11-19 12:01:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html


Note You need to log in before you can comment on or make changes to this bug.