Skip to content

Create a unique ghost user when a user is deleted

Problem

When a user is deleted from a GitLab instance, some associated records are left behind and attributed to Ghost User. The user itself is removed from the users table, disposing of identifiable information.

For meeting requirements like GDPR's right to be forgotten, this is good. It also gives users control over their data on GitLab.com.

However, this is a problem for organizations who might be using GitLab.com and need an audit trail. If a user in an organization deletes their own account, all their comments and merge requests would be assigned to Ghost User. If multiple users in an organization using GitLab.com delete their account, it becomes very hard to ascertain which artifacts belonged to which user. All surviving associated records are attributed to the same Ghost User, and can't be differentiated.

Proposal

  • Instead of always assigning surviving associated records to Ghost User, assign these records to a unique Ghost User that we create when an account is deleted.
    • Ghost User accounts, therefore, should map 1:1 with deleted user accounts.
  • Append a unique identifier at the end of each newly created Ghost User. This can simply be a number that we increment (Ghost User 6).

Ghost Users should not increment the licensed seat count.

Edited by Jeremy Watson (ex-GitLab)