View or edit on GitHub

This page is synchronized from doc/User-Offboarding.md. Last modified on 2025-12-09 00:30 CET by Trase Admin. Please view or edit the original file there; changes should be reflected here after a midnight build (CET time), or manually triggering it with a GitHub action (link).

User Offboarding

For an overview of all systems that a user should be offboarded from, see the Off-Boarding Template on Asana (click "Edit" to see the items).

Below is a sequence of actions we should take to offboard a user from Trase's IT systems:

1. DeforestationFree:
   1. Remove their GitHub username from the whitelist. This will prevent them making another account if they visit the site again:

      sudo tljh-config remove-item users.allowed <github-user>
      sudo tljh-config reload
      

   2. Go to https://deforestationfree.com/hub/admin and remove the user
   3. Delete the Linux user. (You may wish to backup their files first, if they have any!)

      sudo userdel --remove jupyter-<github-user>
      

   4. Ensure that their public key does not appear in any SSH authorized keys list. To do this I print out all of the authorized keys and check that I can recognise each one:

      cat /home/*/.ssh/authorized_keys
      

2. GitHub:
   1. Remove from TRASE repository: https://github.com/sei-international/TRASE/settings/access
   2. Remove from sei-international: https://github.com/orgs/sei-international/people
   3. Remove from the TRASE team: https://github.com/orgs/sei-international/teams/trase/members
   4. Visit https://github.com/orgs/sei-international/people/ and double-check they are removed from all repositories
3. AWS IAM:
   1. Find user in https://us-east-1.console.aws.amazon.com/iamv2/home?region=eu-west-1#/users
   2. Click "Delete"
4. (AWS RDS (Trase database):
   1. Drop the user

      REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA main FROM the_user;
      REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA main FROM the_user;
      REVOKE ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA main FROM the_user;
      REVOKE ALL PRIVILEGES ON SCHEMA main FROM the_user;
      ALTER DEFAULT PRIVILEGES IN SCHEMA main REVOKE ALL ON SEQUENCES FROM the_user;
      ALTER DEFAULT PRIVILEGES IN SCHEMA main REVOKE ALL ON TABLES FROM the_user;
      ALTER DEFAULT PRIVILEGES IN SCHEMA main REVOKE ALL ON FUNCTIONS FROM the_user;
      REVOKE USAGE ON SCHEMA main FROM the_user;
      REASSIGN OWNED BY the_user TO trase_master;
      REVOKE ALL ON database trase from the_user;
      DROP USER the_user;
      

   2. Ensure there are no outstanding personal RDS databases using trase db ls. If there are, delete them, or also drop the user on those.
5. Slack: make Asana tasks for Rosa to remove from DeforestationFree, Trase Finance, and Vizz
6. Google Analytics: go through every analytics account, every property and every view and make sure they are removed
7. G-Suite:
   1. If they have an account at https://admin.google.com/u/1/ac/users, remove it
   2. If they have an email alias at https://admin.google.com/u/1/ac/apps/gmail/defaultrouting?hl=en, delete it
8. Google Drive: see Asana template linked above
9. Google Earth Engine: remove from https://groups.google.com/g/trasegis/members
10. ObservableHQ: Remove them from "team members" at https://observablehq.com/team/@trase/settings
11. Sanity.io (trase-insights CMS): remove from https://manage.sanity.io/projects/n2jhvipv/team
12. Netlify.io: remove from https://app.netlify.com/teams/trase/members
13. Unito.io remove from https://app.unito.io/#/dashboard/organizations/5f48eb9df79ee4115732a0f8/people/members
14. JetBrains/PyCharm: revoke license from https://account.jetbrains.com/assets/subscriptions?customer=5159844&product=PC
15. Tableau: revoke license at https://customer-portal.tableau.com/s/my-keys
16. Metabase: deactivate user from https://metabase.deforestationfree.com/admin/people
17. Carto: see https://sei-international.carto.com/u/p2cs-sei/organization