The basic level of administration in www.cacert.org is called system admin. This is set in your normal member account by the Application Engineer (3rd line support) when a new SE is approved. Once set, additional features become available. You can use them to set some specialist levels as well.

operating

System admin adds an additional menu item, bottom right, with two options Find User and Find Domain.

system_admin_menu1.png

Search features systems use % as a wildcard. E.g., %cacert% will find all with cacert in them.

find_user1.png

The User Display

Using the Find User interface, SE can open the Details of the user account. This is similar to the details seen by the member herself, but with more system options.

Name. Top block of Name/DoB details are changeable, hit Go. Note that this requires authorisation from Arbitrator, or should be a zero-points account.

Flags:

Password Qs: Clicking this will show you the secret password questions of the member. Only click when engaged in recovery with member. A message of warning will be sent to the member. Record this event, as a user will complain if it is not expected, and we need to figure out who did it and why.

Show Assurances. Two links give two tables at bottom of page.

Misc

Orgs

When approved, the Organisation Assurer button can be turned on for an account. This provides more options to the OA.

Note that domains in ORG accounts need Org Admin as well to see properly.

About Deleting and Deactivating Accounts

go instead Delete Account Procedure for Support-Engineers v3

This is written from a theoretical point of view by playing a bit with the testsite. It has to be reviewed by an experienced Support Engineer. Till this is done use with extreme caution, but it looks like someone has to start! BernhardFröhlich

Before deactivating an account, usually it should be made sure that no resources like mail addresses or domains are used (and thereby blocked) by the account. Also certificates might have to be revoked.

The process is in summary this:

  1. Take a snapshot of the account information and send to the Arbitrator (if the Arbitrator requests this).
  2. Hijack the account.
  3. Set the fields to dummy values.
  4. Set the account as "blocked".
  5. Report back to the Arbitrator that it is done.
  6. Forget the password.

Hijacking the Account

Currently this can not be done using the standard admin interface, so the account has to be "hijacked" by the SE. To hijack an account just set the password of the account to a random value (if possible, generated by some true random generator). Then you can use the newly set password to log in to the account and do whatever the rightful owner could have done with it.

Process of Account "removal"

Especially, these steps are done on the account.

Remember that, once you have done this, the rightful owner of the account cannot log in to the account any more, and the account is not usable in any fashion. But the data trail is preserved internally, if it is ever required.

Delete from webinterface

The "Delete Account" link on the web interface does the following:

(N.B.: The revocation timestamps of certificates is set to "1970-01-01 10:00:01". IMHO it should be set to the current timestamp...)

So, strictly speaking the "delete" link does not delete database records, it just marks them as deleted, so they won't show up in the web application. Someone with SQL access to the database may still look up the status of the account at the time when it was "deleted" and may even restore most of the account.

I'm not sure if this satisfies data protection laws if a user requests deletion of his/her personal data...


Support/SE/Manual (last edited 2011-11-27 08:30:56 by Werner Dworak)