Context
Part of #613 — replacing UserDeactivation, PlatformAccessApproval, and PlatformAccessRejection with a single mutable PlatformAccess resource.
This issue covers migrating the UserDeactivation resource and all systems that produce or consume it.
Background
UserDeactivation currently governs User.status.state (Active/Inactive). The UserController in Milo watches these resources to set that status field, and the Zitadel provider watches them to activate or deactivate users in Zitadel. Under the new model, the Suspended state on PlatformAccess replaces this resource entirely.
Scope
milo-os/milo
milo-os/zitadel-provider
Migration Notes
UserDeactivation delete (reactivation) maps to setting PlatformAccess.spec.state = Approved
UserDeactivation create (deactivation) maps to setting PlatformAccess.spec.state = Suspended
- Any system creating
UserDeactivation resources (e.g. the fraud operator) is covered in a separate issue
Related
Context
Part of #613 — replacing
UserDeactivation,PlatformAccessApproval, andPlatformAccessRejectionwith a single mutablePlatformAccessresource.This issue covers migrating the
UserDeactivationresource and all systems that produce or consume it.Background
UserDeactivationcurrently governsUser.status.state(Active/Inactive). TheUserControllerin Milo watches these resources to set that status field, and the Zitadel provider watches them to activate or deactivate users in Zitadel. Under the new model, theSuspendedstate onPlatformAccessreplaces this resource entirely.Scope
milo-os/milo
UserControllerto watchPlatformAccessforstate: Suspendedinstead ofUserDeactivationUserDeactivationcontrollerUser.statusto reflectaccessStatederived fromPlatformAccess(removestate,registrationApproval; addaccessState)Readycondition semantics onUsersoReady=Trueonly whenaccessState=ApprovedUserDeactivationCRD and all associated RBAC, roles, and protected resource config once no consumers remainmilo-os/zitadel-provider
PlatformAccessforstate: Suspendedandstate: Approved(reactivation) instead of watchingUserDeactivationcreates and deletesSuspended → Approvedreactivates the user in Zitadel, equivalent to deleting aUserDeactivationtodayMigration Notes
UserDeactivationdelete (reactivation) maps to settingPlatformAccess.spec.state = ApprovedUserDeactivationcreate (deactivation) maps to settingPlatformAccess.spec.state = SuspendedUserDeactivationresources (e.g. the fraud operator) is covered in a separate issueRelated