Spike/bug: Investigate deactivated users inclusion in compliance export
Another query that I have is regarding compliance exports. A user mentioned that the users exported (format used is Actiance XML) is more than the active users in the system. Does Compliance exports also include user accounts that have been deactivated? Is this expected?
I did some testing and far as I can tell it does include deactivated users (though I'm honestly not too sure, I just see the name of the deactivated user mentioned in ```ParticipantEntered```)
The user found this difference by using an in-house app of theirs that counts the number of users in the file and gets their details using the API and compared it to the active user number in Mattermost
Issue created from a message in Mattermost.
QA Test Steps
1. Login as system admin and create a private channel.
2. Add user-1 to the channel.
3. Post a message from system admin, or user-1, or both.
4. Deactivate user-1, doesn’t matter how.
5. Run an Actiance compliance export. Observe that user-1 is present in the list of channel members in the XML output.
6. Have system admin post in the channel again.
7. Run another Actiance export. Observer that user-1 is not present in the list of channel members in the XML.
8. Re-activate user-1.
9. Repeat step #3.
10. Repeat step #5.
Tested the issue on the 5.25.3-rc1 test instance and the issue is fixed and is working fine now. Closing the ticket since it has been tested on both 5.25 and 5.26 test instances.
Tested on the latest 5.26 test instance and the issue is fixed now and is working fine as expected for both CSV & Actiance Exports. The ticket will be closed once its tested on 5.25 instance.
We have received feedback from Actiance that they do not expect having deactivated users in the XML export.
”If a user is deactivated on the communication channel itself, he/she would not be able to send any message or be part of any communication. Given that, we would not expect data from such users or references to them as participants in the XML. In fact, having them in the XML could possibly mislead the customer’s compliance team. So as you anticipated, we would suggest removing these users from the XML. We do not expect this change to have an impact on the functioning of our application, Vantage, for our mutual customers.”
Please proceed with a fix.
Here are some WIP pull requests with the potential fix, if we proceed forward with one of the proposed solutions:
WIP, further testing required.
Upon further reflection, I am rescinding my previous comment. We have been sending deactivated users in the exports since the original release of this feature and there could be a large downstream affect to customers that have data loading into Actiance by removing the deactivated users.
I am reaching out to Actiance to find out if they have a best practices for deactivated users and if they have any thoughts on what the downstream affect would be.