#3813 [RFE] Provide user lifecycle managment capabilities
Closed: Fixed None Opened 10 years ago by dpal.

Right now IPA allows only to enable/disable users. But disabled users will show up in the searches.

It would make sense to have a more mature user lifecycle management.
Here is an example of what we might want to consider implementing.

When HR team assigns a new account in HR system, the initial user object is stored is provisioned into IPA but it is created in a staging area for example subtree called 'Pending'. Once the account has been created with uid/gid/username calculated, it is
'moved' to ou=Users. When the user terminates, the user object is moved
to say 'Deleted' and is out of the view of normal systems doing user lookups. The object is stored in 'Deleted' until the user returns back (contractor for example). Once the user returns, their object is moved back to the main tree preserving his uid/gid/username/etc attributes.

Group membership should probably not be preserved. However we might want to allow automembership rules trigger on the transfer from Pending to Normal rather than on creation (something to think about).

The account creation/termination process is also SOX-controlled, so we
will need to make sure we have sufficient access control rules and permissions defined regarding who can create, remove or move accounts around.

Looks like a duplicate to #3911...

I have side note: 'User Life Cycle' also includes things like renaming (e.g. after marriage) etc. It would be nice if we can find a solution for such situations.

First part pushed to master:

  • 04ea75a User Life Cycle: create containers and scoping DS plugins

Part of the previous patch had to be reverted as it stopped generating DNA for objects in cn=trusts,SUFFIX and broke Trusts:


  • 7fc4f60 User Life Cycle: DNA scopes full SUFFIX

David will help with review.


  • c3ede5f User Life Cycle: Exclude subtree for ipaUniqueID generation
  • d1691ee User life cycle: stageuser-add verb


  • c200091 User life cycle: allows MODRDN from ldap2


  • f2e986e User life cycle: new stageuser commands del/mod/find/show
  • 0ebcc5b User life cycle: new stageuser commands activate
  • 699dd77 User life cycle: new stageuser commands activate (provisioning)
  • 4ef3296 User life cycle: user-del supports --permanently, --preserve options and ability to delete deleted user
  • 2744326 User life cycle: user-find support finding delete users
  • 0b644eb User life cycle: support of user-undel
  • c9e1ad0 User life cycle: DNA DS plugin should exclude provisioning DIT
  • 51937cc User life cycle: Stage user Administrators permission/priviledge
  • 273fd05 User life cycle: Add 'Stage User Provisioning' permission/priviledge

Web UI with prerequisites:


  • a4c0f78 webui: update patternfly to v1.1.4
  • 69bc4f4 webui: rename IPA.user_ to IPA.user.
  • c352616 webui: declare search command options in search facet
  • de374a0 webui: register construction spec based on existing spec
  • ae62bd6 webui: entity facets in facet registry
  • 2be8eeb webui: entity menu items navigate to main entity facet
  • 6bcb90e webui: prefer entity fallback in menu item select
  • 8f60139 webui: navigation: do not remember selected childs of menu item
  • 6a2b486 webui: navigation: unique names on entity facet menu items
  • 17aafc3 webui: metadata validator min and max value overrides
  • 3c2a8b4 webui: custom facet groups in a facet
  • 435f933 webui: facet groups widget
  • 8d8b56d webui: allow to replace facet tabs with sidebar
  • cae2df2 webui: allow to hide facet tabs or sidebar
  • bf7ee6e webui: facet policies for all facets
  • 1452559 webui: stageuser plugin
  • 64e87d5 webui: extend user deleter dialog with --permanent and --preserve options
  • 5264728 webui: update stageuser/user pages based on action in diffrent user search page
  • 99d282d webui: stageusers, display page elements based on user state
  • 7ddcff3 webui: prefer search facet's deleter dialog


  • 98e4c6d Uid uniqueness: fix: exclude compat tree from uniqueness


  • 943c539 ULC: fix: upgrade for stage Stage User Admins failed


  • 6960725 User life cycle: provide preserved user virtual attribute


  • 1d60825 User life cycle: change user-del flags to be CLI-specific
  • baca55c webui: adjust user deleter dialog to new api


  • ffd6b03 User life cycle: permission to delete a preserved user

The functionality is there. From now on, the feature is in bugfixing mode.



  • a14c4b5 Automated test for stageuser plugin


  • b648d12 Automated test for stageuser plugin

Metadata Update from @dpal:
- Issue assigned to tbordaz
- Issue set to the milestone: FreeIPA 4.2

7 years ago

Log in to comment on this ticket.