Revoking user account credentials

Content Platform for Cloud Scale Administration Guide

Version
2.6.x
File Size
1945 KB
Audience
anonymous
Part Number
MK-HCPCS008-10

To immediately and completely revoke a user's account credentials, it's best to remove credentials from the identity provider, clear the HCP for cloud scale user cache, revoke OAuth tokens, and revoke S3 credentials, in that order.

You might want to revoke a user's account credentials for a number of reasons:

  • The user has left the organization.
  • The user is part of a company that has ended a contract with the organization.
  • The user had a temporary account that has expired.

To complete these tasks you must have permission to reset a user's password in the identity provider (IdP), such as Active Directory or LDAP, and you must have permission to execute HCP for cloud scale API methods.

If you remove the user account from the IdP, you might not be able to move or delete the user's data and buckets. If you must do that, reset the account password instead, delete or move the data as needed, and then remove or disable the account.

CAUTION:
Execute the steps in this procedure in the order given.
  1. Prevent the user from signing in through the IdP.
    • Remove or disable the user account in the IdP.
    • Change or remove the user's password.
    Removing or disabling the account creates a positive record of revocation but can prevent access to the user's data.
    The user can now no longer log in to the system.
  2. Clear the HCP for cloud scale user cache:
    1. Obtain an OAuth token.
    2. Use the API method POST security/clearCache.
    The user can now no longer obtain fresh OAuth tokens.
  3. Revoke the user's OAuth tokens.
    1. Obtain an OAuth token (or use the token previously obtained).
    2. Obtain an XSRF token.
    3. Use the API method POST user/list to obtain the user ID for the user.
      The response body contains the user ID.
    4. Use the API method POST user/revoke_tokens, passing as a parameter the user ID previously obtained.
      You should receive a 200 OK response with an empty response body.
    The user's existing OAuth tokens are now revoked. The user can now no longer obtain S3 credentials.
  4. Revoke the user's existing S3 credentials.
    (Alternatively, you can generate fresh S3 credentials, but the listed steps create a positive record of revocation.)
    1. Obtain an OAuth token (or use the token previously obtained).
    2. Obtain an XSRF token (or use the token previously obtained).
    3. Use the API method POST user/list to obtain the user ID for the user (or use value previously obtained).
    4. Use the API method POST user/revoke_credentials, passing as a parameter the user ID previously obtained.
      You should receive a 200 OK response with an empty response body.
The user's account credentials are cleared from the system and revoked.
If you now want to remove the user's data and buckets, reset the password in the IdP, obtain an OAuth token using the new password, and then obtain S3 credentials using the OAuth token. When you obtain access, you have two options:
  • Remove all objects, versions, and delete markers in each of the user's buckets. When the buckets are empty, remove them.
  • Set an expiration period of one second in each of the user's buckets. When the buckets are empty, remove them.
Note: Manual removal of objects and buckets can take a significant amount of time. It's best to write a script to do it. Alternatively, use an S3 client that support bulk deletions.