Skip to main content

Dormant User Process

Dormant User Script Intro

  • The Dormant User script interacts with GitHub, Notify, AWS S3, Slack and Auth0.

  • The script determines which GitHub Organisation users and outside collaborators are dormant on each Organisation.

  • The script reads the GitHub Dormant export file and the GitHub People page export file for each Organisation that are stored in AWS S3 (we manually upload those files).

  • The GitHub Dormant export file contains a list of Enterprise users GitHub believes are inactive. The caveat here is that the Organisation should have SSO enabled, which the AS Organisation does not.

  • The GitHub People page export file for each Organisation contains the list of Organisation users and their last active date/time.

  • The script uses the Dormant export file as the base and cross references the users within it against the users within the GitHub People page export file.

  • The users that are still classed as dormant users after this cross reference are then cross referenced against the GitHub Organisation audit log and Auth0 for any recent activity.

  • The users that are still classed as dormant users after the additional check is made, are sent a Notify email to inform the user that our automation considers the user inactive and to log into Github within a month.

  • After the first (only) Notify email is sent to the users, a list of users that were emailed is uploaded to AWS S3 within a separate json file for each Organisation.

  • After the file is uploaded the script checks if all the first Notify emails were delivered successfully or not.

  • If the script detects any undelivered emails it will raise a Slack notification with the email addresses that failed. The users of these email addresses have had their email accounts deactivated. You will need to run the Leavers process on these users.

  • Once the deadline has passed the script can start the final step to remove the dormant users.

  • The script reads the json file from AWS S3 for each Organisation, checks if the user is still dormant or not, and removes the dormant users.

  • After removing the users a final Notify email is sent to each user to inform them it was our automation that has removed their access for being inactive.

  • If any users are removed the script will raise a Slack notification stating the number of users it managed to remove.

  • After the remove users step the script will delete the json file containing the list of emailed users from AWS S3. This clears the file for when the process is run next time.

  • The script contains an allow list for each Organisation that is used to ignore bot accounts, users on leave or users that do not use GitHub much.

  • The script will check all the users within the allow list still exist within each Organisation. If a user no longer exists then the script will raise a Slack notification with the username of the user/s. Manual edit the allow list to remove the user/s.

  • If users want to rejoin the Organisation after being removed they will need to provide their GitHub username. Adding the user back via their username rather than email address means the user will obtain their previous Organisation settings, which are retained by GitHub for ninety days.

Dormant User Steps

  1. Ask a GitHub Enterprise Owner to create a new GitHub Dormant Users export.

  2. The Enterprise Owner will generate the export using the GitHub user guidance. The resulting export should be saved/renamed as dormant.csv. Provide dormant.csv to the team member who requested the export.

  3. Generate a People page export file for the MoJ Org and AS Org in json format.

  4. Rename the files to be export-ministryofjustice.json and export-moj-analytical-services.json.

  5. Upload the three files to the AWS S3 bucket operations-engineering-dormant-users within our AWS account.

  6. Run the Operations-Engineering GH Action dormant-users-debug-mode. Read the GH Action output for the printed list of usernames it detects are dormant. If any usernames appear to be bot accounts, add those usernames to the allow list within the script file.

  7. Re-run step 5 to ensure usernames that should be ignored have been correctly ignored by the script.

  8. Run the Operations-Engineering GH Action Dormant Users first email. This will send the Notify email to the dormant users and upload the list of emailed users within a json file to AWS S3.

  9. Set a reminder date to proceed to steps 10 and 11 to action the removal of users.

  10. Repeat steps 3, 4 and 5. The two uploaded files will have the users latest last login date. The login date is used in the comparison conducted in the next step which determines if a user is still Dormant or not.

  11. Run the Operations-Engineering GH Action Dormant Users remove users. This will remove the still dormant users from GitHub and send a Notify email to those users.

This page was last reviewed on 19 June 2024. It needs to be reviewed again on 19 September 2024 by the page owner #operations-engineering-alerts .
This page was set to be reviewed before 19 September 2024 by the page owner #operations-engineering-alerts. This might mean the content is out of date.