For Domino Administrators considering deactivating old users, you may be wondering what the impact will be on those users' workloads, as well as the implications for the projects they own. This article outlines the various workloads and the expected impact of deactivating the owning user.
Executions
Current running Jobs (script executions)
If a Job is currently running when a user is deactivated, the Job will continue to run. However, the Job will begin to exhibit errors in the User Output if it reaches an interval to refresh the access token and the job may not complete:
2022-11-09 11:31:53 : INFO:__main__:-- Refreshing access token --
2022-11-09 11:31:53 : ERROR:__main__:Attempt to refresh failed due to an HTTP Error HTTP Error 400: Bad Request POSTing to http://keycloak-http.domino-platform/auth/realms/DominoRealm/protocol/openid-connect/token
Scheduled Jobs
Scheduled Jobs will trigger, but will not be able to complete due to a token error:
2022-11-09 12:57:15 : INFO:__main__:-- Preparing access token --
2022-11-09 12:57:15 : ERROR:__main__:Attempt to refresh failed due to an HTTP Error HTTP Error 400: Bad Request POSTing to http://keycloak-http.domino-platform/auth/realms/DominoRealm/protocol/openid-connect/token
2022-11-09 12:57:41 : Preparing working directory.
2022-11-09 12:58:12 : Preparing working directory.
2022-11-09 12:58:42 : Preparing working directory.
2022-11-09 12:59:12 : Preparing working directory.
2022-11-09 12:59:15 : INFO:__main__:-- Preparing access token --
2022-11-09 12:59:15 : ERROR:__main__:Attempt to refresh failed due to an HTTP Error HTTP Error 400: Bad Request POSTing to http://keycloak-http.domino-platform/auth/realms/DominoRealm/protocol/openid-connect/token
Workspaces
Any Workspaces left running by the deactivated user will continue to run. These can be stopped by a Domino Administrator.
Apps
Apps will continue to run and be accessible according to the Access Permissions set up by the App owner. Apps can be managed by any active Project Collaborators, or Domino Administrators.
Model APIs
Model APIs will continue to run and can be invoked according to the permissions set by the Model API owner. Model APIs can only be modified by Domino Administrators, or active users specifically added as Collaborators to the Model API (this is a separate action than being added as a Collaborator to a Project).
Project with Collaborators
If you deactivate the owner of a Project that has Collaborators, those Collaborators will retain access to the project. Collaborators' access will continue to be consistent with Domino Collaborator Permissions. The project itself can only be archived or transferred to a new owner by a Domino Administrator.
As noted under Model APIs above, Model API Collaborators are set separately from Project Collaborators. A user who is a Collaborator on a Project will not be able to manage Model APIs whose source files are in said Project unless they are also a Collaborator on the Model API.
Other Considerations
Perhaps the most important implication of deactivating a Domino user is the running Executions that are left behind, using resources and potentially costing money. A Domino Administrator can search for a username in current Executions in the Domino Admin UI under Executions to view what a particular user may have running.
Comments
0 comments
Please sign in to leave a comment.