<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>All,</p>
<p>So here's my (current) thinking on the ballot regarding system
accounts/user accounts.</p>
<p>It seems that many operations have a centralised list of accounts
which represents the maximum _potential_ set of different access
identifiers to any given system (example: an enterprise wide LDAP
service, and each system is configured to use <tt>sssd </tt>as
its system account database provider). What this means is that I,
as a system administrator, could execute:</p>
<p><tt>getent passwd</tt></p>
<p>and get a long list of <tt>alice, bob, charlie, dave</tt> ... Of
whom only <tt>bob </tt>is actually supposed to be using the
system. Now, most of those users will be assigned to groups, or
roles, or some sort of privilege assignment. It's that association
of account -> privilege which defines the ability to use the
system, not the existence of an account name per se.</p>
<p>So, when I hear the terms "account" and "credential", I tend to
think of usernames and passwords, which are not <i>necessarily </i>the
things that I might want to see controlled. It's the association
of privileges that I want to see demonstrably controlled.</p>
<p>So, when we talk about "deactivating" the account, it seems to me
that what we want is for the privilege association between the
account name and the host to be broken; we remove the username
from the group "<tt>sensitive_host_users</tt>", or we take them
out of "<tt>two_factor</tt>" roles (meaning that their credentials
might still work, but are insufficient to access the sensitive
host, etc.).</p>
<p>But I wonder if this is what others on the group are thinking? <br>
</p>
<p>Looking forward to talking this through,</p>
<p>Neil<br>
</p>
</body>
</html>