Skip to content

Increased deactivation threshold to 180 days

Jeremy Watson (ex-GitLab) requested to merge user-deactivation-minimum-days-extend into master

What does this MR do?

Fixes #34692 (closed)

This MR extends the deactivation threshold introduced in 12.4 in !17037 (merged), #22257 (closed).

The need for this change was discussed at the E-Group Meeting on 2019-10-22 and discussed further on Slack. Stakeholders in GitLab are concerned that we don't understand the business implications of this change well enough to include this approach in our first iteration. There's a chance that the release of this feature could spur deactivations at scale, and since we haven't released a feature like this before - we can't accurately assert what impact this change will have.

Instead, our plan is to extend the deactivation threshold to a horizon that we feel is low-risk, take time to better understand the effects of this change, and then lower the threshold in the future when we understand the impact.

Since this MR reduces an unknown risk to GitLab's bottom line, we should consider this high priority and consider it for merging into the next patch release.

We've also merged in a handbook change to reduce the risk of this happening in the future: gitlab-com/www-gitlab-com!32994 (merged)

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Ben Bodenmiller

Merge request reports