Monday, August 19, 2019

Offboarding on IBM Cloud: Considerations when removing a user

Only authorized persons have access
Over my past blog posts I have looked into how to rotate credentials in different compute environments. I looked at Cloud Foundry on IBM Cloud, Cloud Functions and Kubernetes. The background is that I wanted to understand what it takes to maintain security during the regular DevSecOps cycles and when someone in the team leaves. The latter often is called offboarding.

On Friday, the IBM Cloud blog published the article "Cloud Offboarding: How to remove a user and maintain security". It looks into the steps to remove a user, things to note and how to follow up.


The article mentions few things to keep in mind when a user is removed from an IBM Cloud account:
  • After a user is removed from an account, the user no longer can log into the account, switch to the account (when being logged in to another account), or access the account resources. All related access privileges are removed as part of the removal processing.
  • The IBM Cloud IAM access management follows the model of eventually consistent. It means that changes are process asynchronously. Therefore, the full impact of the removal processing is not directly visible and only will be after it has been propagated throughout the system. The user in question may be logged in and some partial access might still be possible until access tokens have expired.
  • Resources which the user created remain in the account. Thus, provisioned services, deployed apps, or instantiated VMs continue to work.
  • Removing a user from an account does not remove the user's associated IBMid. The IBMid is tied to the email address. If the user is leaving the company and it is an enterprise email address, the associated IBMid should be deleted.
If the user in question is the account owner, a different process is needed; in that case, the account ownership needs to be transferred.

Read the offboarding blog post for details on how to remove the user and how to follow up. If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.