10.5. Former Employees Keep Accessing the Server
As an administrator, you'll have to deal with employee turnover. You know how to add accounts for new employees. But when current employees leave the organization, there's more to do. You have to make sure important emails don't get lost, files are transferred to people who know what to do with them, and the account is deleted.
Naturally, employee situations can get more complex, such as when someone goes on medical leave or is transferred internally. What you do depends in part on your corporate policies, and may be affected by factors such as security clearances. Things can get more sensitive with employees who are leaving, voluntarily or otherwise.
Therefore, you want to be able to explain what you do clearly to nontechnical users. If there are other interested parties, such as the U.S. Department of Defense, you may have to demonstrate how your actions comply with their policies.
In addition, what you share from a user may be subject to privacy laws of your state, province, or country. For example, you may not be allowed to copy stored emails from one user to another. If there are conflicts, consult with your management.
10.5.1. When an Employee Leaves
When an employee leaves a company or organization for good, you'll have to take care of the following things:
Whatever you do, you'll need to make sure that it's consistent with the policies of your company or organization.
It's best for your organization if you have advance notice of any pending layoffs or terminations. If you do, you can back up the files from the accounts of targeted users and disable access at appropriate times. Needless to say, this is a serious responsibility that assumes trust from your supervisors.
You need to know how to keep this kind of information confidential and secure. If you do not, your position may be at risk.
The steps I describe in this annoyance are just suggestions, which you may want to change depending on your corporate policies.
10.5.1.1. Transfer files and delete an account
Before you delete the account of any employee, you'll need to save that user's files. You need to make sure any files related to work are transferred to appropriate users. In other words, take the following steps:
10.5.1.2. Transferring an account
Unless you want to dedicate a specific account to a job position, it's generally best to delete old accounts after appropriate files have been saved. I describe what you can do to transfer an account later in this annoyance.
10.5.1.3. Managing email
If an employee is leaving, you need to make sure that any business email is transferred to appropriate contacts. There are a couple of basic ways to arrange email forwarding. As they go beyond Linux, I'll describe them in general terms.
You may see options for domain forwarding in your email server, which forwards all emails associated with your domain to a different domain. This is generally not appropriate, unless your corporate identity is changing in some way.
10.5.2. When an Employee Leaves Temporarily
Employees may leave temporarily for many reasons. Some may leave to care for children or infirm relatives. Others may leave to go to school full-time. Still others may leave temporarily for medical reasons. If the leave is not too long, it makes sense to retain that user's account. You could disable it, and provide access to that user's home directory to others.
However, longer leaves suggest that user may be placed in a different job after his or her return. Others will have to take responsibilities for the person on leave. When the employee returns, it may make more sense to treat the person as a new employee, at least with respect to his user account.
The definition of a "temporary" leave is a matter of policy for your organization. If that policy is not already defined, you may use the guidelines described in this annoyance to help.
In this section, I assume that the leave is temporary and the user will return to his or her previous position. In that case, you should:
10.5.2.1. Disabling an account
When you disable an account, you're disabling logins to that account. You do not change or delete any files or directories associated with that user's account, especially her home directory. As described earlier, the most straightforward way to disable access is to modify the password column in the /etc/passwd or /etc/shadow configuration files. I described this process earlier in this annoyance.
10.5.2.2. Provide access to appropriate users
While the user is on leave, others will need access to her files. Where possible, consult with that user and her management.
Linux certainly makes it easy for administrators to copy files from one user's home directory to another. But you don't want to transfer all files, unless you want to overwrite the defaults, bookmarks, and other defaults of the user who is taking the responsibilities of the user on leave.
10.5.3. When an Employee Is Transferred
Sometimes, all you need to do is transfer an account. Perhaps a supervisor has been promoted. Perhaps a materials buyer in the company has been replaced. If you've configured special groups for that user, it may be easier to transfer the account, rather than creating a new account and adding it as a member of the special group.
With these factors in mind, transferring an account involves different challenges. You're setting up the original user's files for a new job and configuring that account for her successor. I assume the employees who are moving have accounts on different servers, run by different administrators. To make the transfer, I suggest the following steps: