Re: Guidance on user deletion

> The five account systems I've had experience with (OpenVMS, Linux,
> Active Directory, SQL Server, Postgresql) all have the ability to
> expire users, and to unexpire them if the person ever returns.
how do you practically expire an account in postgres?

On 5/11/24 5:55 AM, Ron Johnson wrote:
> On Fri, May 10, 2024 at 2:37 PM Wetmore, Matthew (CTR)
> <Matthew(dot)Wetmore(at)evernorth(dot)com> wrote:
>
> Corporate env.
>
> I’ve searched for an official BestPractice on user  deletion
> (leave company), but can’t find anything that is official-ish.
>
> Two options:
>
> 1. Change user psswd to nonsense, then expire account.
> 2. DROP user.
>
> There are +/- to both.
>
> I prefer #1, as it gives the exact timestamp of expire (protects
> company and ex-employee), but corporate auditors disagree.
>
> What do you do?  Any official guidance on this?
>
>
> The five account systems I've had experience with (OpenVMS, Linux,
> Active Directory, SQL Server, Postgresql) all have the ability to
> expire users, and to unexpire them if the person ever returns.  (That
> happened to me; my AD account was still there; they just reactivated
> it...)
> In *every* audit that I've gone through (and I go through them *every
> year* because of PCI) the auditors are perfectly happy to see that
> accounts are disabled. Occasionally they ask to see the log entry
> generated when one tries to log into Postgresql with an expired account.
>