2023-12-18T12:43:44  *** teepee_ is now known as teepee
2023-12-18T13:32:38  <malcolmlewis> acidsys, do you have some free time available today to look at munging an IDP user, or you can't do that?
2023-12-18T14:19:09  <matrix-o-o> <Jacob Michalskie> hm, is something up with the vpn, I can't seem to connect
2023-12-18T16:50:17  <acidsys> hi malcolmlewis, I am here now
2023-12-18T16:52:15  <malcolmlewis> hey, give me 10 minutes?
2023-12-18T16:52:16  <acidsys> matrix-o-o: I'm connected, what is the error message
2023-12-18T16:52:20  <malcolmlewis> acidsys, ^^
2023-12-18T16:52:31  <acidsys> ok
2023-12-18T16:54:25  <acidsys> is it about the email?
2023-12-18T16:55:46  <acidsys> if yes I do not think we can/should delete anything but rather anonymize .. for which it would be good to have some legal clarity on which parts need to be considered ..
2023-12-18T16:59:20  <malcolmlewis> acidsys, it is :) So is this possible in IDP?
2023-12-18T16:59:44  <acidsys> in IDP we decided some time ago to not delete any users
2023-12-18T17:00:16  <acidsys> because doing so another person can register the username and gain access to user data in other applications which still have it in their database
2023-12-18T17:00:43  <malcolmlewis> acidsys, so that's on SUSE ;) So, we can't anonymize in Discourse AFAIK because we have no access to the username and email fields
2023-12-18T17:02:00  <acidsys> it's possible to do in the Discourse database but changing the username has a similar problem
2023-12-18T17:02:27  <malcolmlewis> acidsys, so is it possible to deactivate in IDP and link to a generic no-login type user?
2023-12-18T17:02:39  <acidsys> I change username "bar" in Discourse to "foo_123" in the Discourse DB, someone registers "foo_123" in IDP and when they log in to the forums they get access to bar's data
2023-12-18T17:02:53  <malcolmlewis> ahhh
2023-12-18T17:03:11  <acidsys> ideally there needs to be a standard dummy IDP account like "GDPR_Deleted" which can then get used in the various apps as a safe placeholder for this
2023-12-18T17:04:02  <malcolmlewis> yup, so is there anything in there like that at present?
2023-12-18T17:04:07  <acidsys> but who's to standardize it; I mean I can register it but then I'm the one with access to everyone's "deleted" data? :P
2023-12-18T17:04:41  <acidsys> hence I would like some process clarity ... with legal and SUSE IAM and Heroes
2023-12-18T17:05:13  <malcolmlewis> acidsys, exactly, which was proposed in the email...
2023-12-18T17:06:45  <malcolmlewis> acidsys, at the end of the day, because of this link, all we need really is notification that bar has changed to foo_123
2023-12-18T17:07:51  <acidsys> if that is sufficient then I guess so
2023-12-18T17:09:48  <malcolmlewis> we could also suspend that user (eg GDPR_Deleted) forever, so no one can get to the forum...
2023-12-18T17:10:50  <malcolmlewis> or no posting, then could setup and email for this user to be notified, maybe?
2023-12-18T17:11:23  <acidsys> right having it disabled would be good
2023-12-18T17:11:44  <malcolmlewis> that's easy to do...
2023-12-18T17:13:15  <malcolmlewis> acidsys, let me summarize this in an email to set some bullet points to discuss at the meeting (TBA)?
2023-12-18T17:13:37  <acidsys> okey
2023-12-18T17:14:00  <acidsys> it would also be good to somewhat hint that forums are not the only opensuse.org service someone could have potentially logged in to ..
2023-12-18T17:15:37  <malcolmlewis> acidsys, yes, that was going to be a key one! ;)
2023-12-18T17:15:50  <acidsys> kewl
2023-12-18T17:23:13  <cboltz> FYI, to avoid reinventing the wheel: we have a page in the admin wiki listing most (maybe not all) services and the user data they store
2023-12-18T17:40:35  <malcolmlewis> cboltz, do you have a link?
2023-12-18T17:41:54  <acidsys> it's here: https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/GDPR
2023-12-18T17:42:02  <acidsys> very incomplete imo
2023-12-18T17:44:05  <malcolmlewis> acidsys, thanks :)
2023-12-18T19:20:56  *** teepee_ is now known as teepee