Merge pull request #108 from brianhlin/INF-1179.comanage-ops

Add instructions for revoking AP login access (INF-1179)

docs/policy/comanage-instructions-admin.md → docs/operations/comanage.md

@@ -1,15 +1,18 @@
-Approving COManage Registrations
-================================
+COManage Operations
+====================
 
 OSG is using a new identity management system called COManage.
 This system is used for managing contact information for OSPool and PATh Facility users, Topology site contacts, and
 OSG/PATh staff.
 
-User registrations must be manually approved by a COManage admin.
-Follow the instructions below to approve a user registration.
+Contact Registration
+--------------------
+
+Contact registrations must be manually approved by a COManage admin.
+Follow the instructions below to approve a contact registration.
 
 !!! note
-    This page is for COManage Admins who want to approve user registrations.
+    This page is for COManage Admins who want to approve contact registrations.
     If you are a user who wants to register with COManage,
     go to the [Registering for the OSG COManage](https://osg-htc.org/docs/common/contact-registration) page instead.
 
@@ -56,6 +59,29 @@ Follow the instructions below to approve a user registration.
 
 1.  The user will get an email saying "Petition for <NAME> changed status from Pending Approval to Approved".
 
+Revoking AP login access
+------------------------
+
+Login access to AP1 (PATh Facility) and AP40 (OSPool) is controlled by membership to COManage groups.
+To revoke a user's login access to either of these APs, perform the following steps:
+
+1.  Find the corresponding user in [COManage](https://registry.cilogon.org/registry/co_dashboards/search?q=&co=7) and
+    revoke access to all OSG services or just the relevant AP:
+
+    1.  If you are revoking access to all OSG services, set the user's CO Person status to `Suspended`
+
+    1.  If you only need to revoke access to AP1 or AP40, remove the user from the `ap1-login` or `ap40-login` group,
+        respectively
+
+1.  Note the `OSG Username` identifier of the user
+
+1.  On the AP host(s) where you are revoking access, clear the SSSD cache as root:
+
+        :::console
+        root@ap-host # sss_cache -u <OSG Username>
+
+    Replacing `<OSG Username>` with the `OSG Username` identifier that you noted in step (2)
+
 Troubleshooting
 ---------------
 

docs/policy/software-support.md

@@ -66,7 +66,7 @@ If you are on triage duty, your responsibilities are as follows:
         tackle the issue again.
 
 -   **Review and approve/deny COManage site contact registrations:**
-    Follow the instructions to review site contact registrations [here](comanage-instructions-admin.md).
+    Follow the instructions to review site contact registrations [here](../operations/comanage.md#contact-registration).
 
 -   **Review Topology data pull requests:**
     Review any [Topology PRs](https://github.com/opensciencegrid/topology/pulls) that update anything in the

mkdocs.yml

@@ -31,6 +31,8 @@ nav:
       - How to Request Tokens: 'software/requesting-tokens.md'
     - Technologies:
       - OSPool Containers: 'software/ospool-containers.md'
+    - Operations:
+      - COManage: 'operations/comanage.md'
     - Software Support: 'policy/software-support.md'
     - Effort Tracking: 'software/effort-tracking.md'
     - Release Planning: 'software/release-planning.md'
@@ -57,7 +59,6 @@ nav:
     - Container Release Policy: 'policy/container-release.md'
     - 'Community Testing': 'policy/community-testing.md'
     - New OSPool User Registration: 'policy/new-ospool-user.md'
-    - Approving COManage Registrations: 'policy/comanage-instructions-admin.md'
     - Handling Topology/Contacts Registrations: 'policy/topology-registration.md'
   - Documentation:
     - Writing Documentation: 'documentation/writing-documentation.md'