Most projects and companies have a clearly defined process for onboarding new people onto projects. They have a well-defined list of accesses and credentials to be provided as soon as the person joins the project.
But there is hardly any checklist for de-boarding - The list of things to check off when relieving a vendor/employee from a Drupal Project.
This is a small such checklist built over a couple of exercises while trying to put up a definitive list for accesses/accounts to be revoked while deboarding a member from a typical Drupal Project.
-
Change the Drupal Site admin username / password
If the admin (uid = 1) creds have been shared with the vendor, the password shall be changed. If the vendor has been given a separate user account on the Drupal Site with Special privileges the same shall be blocked/deleted. If the site-admin on Drupal Site Information is that of the Vendor, it should be changed. -
Remove Public Keys on Servers
If the vendor’s public keys have been uploaded onto any of your servers, it is time to delete these public keys. -
Revoke access to Code Repositories
Ensure that the vendor is taken off the project on the code repositories like GitHub where the vendor has been provided an account -
Change Cloud Services Passwords
If you are using any SAAS/PAAS products and if the Vendor has been provided an account on the subscription of if the admin credentials have been shared, then the account should be deactivated or the admin password should be changed.
Ex: Hosting Platforms like Acquia Cloud / Pantheon subscriptions, Hosted Jenkins, Google Analytics, CDN, Google Webmaster tools, Adsense, Salesforce etc -
Change ownership of Social Apps or Profiles
The case could be that the vendor owns the FB app that is used for FB Connect login on the website. Or the vendor has created and has the sole access to the Facebook page, youtube channel, or twitter account related to your website. The ownership of these accounts should be changed or the passwords be taken over and changed. -
Acquire Products or Software purchased through Vendor
Ex: You could be using a premium / purchased Drupal theme on your site which was purchased and implemented by the vendor. Care should be taken that the original copy of such software purchased and the purchase details are acquired and preserved. -
Change Notification Email Address given to Monitoring Services
Monitoring Software / Services like Nagios, NewRelic might be configured to alert the Vendor currently. It should be ensured that the email addresses. -
Revoke Access to Shared Docs
If you use Google Docs and if you have any docs, ensure that the vendor’s access to these docs is revoked. -
Revoke access to Servers
SSH login, FTP credentials to servers, etc - Ensure all of those that allow the vendor to access the servers are revoked -
Take control of your company’s drupal.org account
Many companies have a unified d.o account through which any contribution to Drupal / Contrib Modules from the company go through. If you had one such and if this has been shared with the Vendor, ensure that the account is taken back and protected. -
Revoke access to Project Management and Bug Tracker tools
Basecamp, Jira, Mantis, Starteam, Confluence - The vendor is probably there on all these tools that you use. Ensure that the vendor is taken off the project/subscription on all the Project Management tools. -
Remove Vendor from Project Group Chat
Most Projects have group chats, sometimes on services like Skype. If you have one of those, it is time to remove the vendor from the group chat. -
Change pass-codes of Conference Call Lines
If you are using GlobalMeet or similar conferencing utilities for conference calls, ensure that the guest pass-codes are changed. -
Revoke VPN Access
If your project/company had provided a VPN to allow access to your secure network, ensure that the access to the VPN is revoked. -
Acquire/Revoke Physical Keys / access cards to offices / datacentres
Last but not the least, ensure the physical keys and access cards that allow access to office / datacenter of the project are taken back/revoked.
Definitely this post could have missed out many things to make it comprehensive. If you have something that should go into this list, drop in your comments below.