In https://github.com/python/psf-infra-meta/issues/36 mwichmann opened a discussion about removing a user and the issues with not losing information or breaking the links in roundup.
Roundup doesn't delete objects like users. Retiring an object is the preferred way to do this. A retired object/user doesn't show up in lists (like the nosy selector, assigned to etc.). It does stay in places where it was assigned. E.G. if you retire somebody on a nosy list, the username will still be shown there. Also the user object in the web interface can by default be seen if the URL for that user is entered into the browser.
However tracker permissions can be modified to reject access if the user object is retired. The user could still be seen by users with the Admin role. This is probably the best way to "forget".
Also you can:
- overwrite identifying info (username, real name, organization etc.) and retire the user object. Set up the schema so that a retired user's record is not accessible (except by admins). This keeps the username available. This preserves an entry for fields that reference the user object while anonymizing/eliminating PII.
- if more than that is required, overwrite the identifying info and purge journal records for the user object except for the creation record. Also the username could be changed to "ghost 1", "ghost 2" etc. (similar to github's single ghost user). However this preserves the anonymous user as a separate entity. Purging the journal records breaks the link between the original user data and the new overwritten data. So some manual record (or backups) might be needed to deal with any identification requirements. If the info and history/journal are removed, the user record could be shown without disclosing the original username, realname etc.
Keeping the user reduces the number of entries that need to be accessed should it be required in legal discovery. E.G. if "ghost" 23 posted a companies IP info, it's a lot easier to audit all of "ghost 23"'s entries rather than auditing the entry for every ghost user (as github's single ghost user, for all deleted users, would require).
Retirement is usually done via the xmlrpc or rest interfaces or via the roundup-admin cli tool. A web page and new action could be created to retire the object and overwrite all the PII and username via the web. The right to retire a user can be limited to the user or people who have the Admin role using web page and auditor controls. Also a new UserRetire role could be created to permit other users to retire a user.
Deleting journal entry
If you are using a sql backend:
delete from user__journal where nodeid = 5 and action <> 'create';
will delete all journal entries except the initial creation entry for user5.
This should be doable from roundup-admin, but that requires issue 2551133 to be implemented (good first time ticket).