Discuss adding a user deletion endpoint

[jdaigneau5]

Summary

Deleting users is a common practice with account management. Currently, Cve-Services only allows for deactivating users, which could cause confusion or other complications. We should discuss whether or not to implement this feature and how it would work.

Definition of Done

• Consider restrictions
• Only available to Org admins and Secretariat
• Ensure Orgs have at least 1 admin (we have middleware that checks this when removing user roles)

Notes
This idea was originally brought up in #507

[mprpic]

The functionality exists to mark users as inactive by an Org Admin when they depart an organization. This immediately removes their access to reserve/publish CVE IDs.

GDPR requests to remove PII can be resolved by changing the first/last name and email address to dummy values (Ghost User - [email protected]). CVE ID objects are tied to the UUID of the user, which cannot be changed. No policy exists currently that enforces any name/email restrictions on the users in User Registry, but the CVE Program assumes that an organization keeps track of their users and can pinpoint them to actual human beings (or maintainers of tools for automated accounts) in case of accountability.

Based on the discussion during the meeting on Nov 5, 2024, AWG recommends closing this issue.