I’ve searched for an official BestPractice on user deletion (leave company), but can’t find anything that is official-ish.
Two options:
Change user psswd to nonsense, then expire account.
DROP user.
There are +/- to both.
I prefer #1, as it gives the exact timestamp of expire (protects company and ex-employee), but corporate auditors disagree.
What do you do? Any official guidance on this?
The five account systems I've had experience with (OpenVMS, Linux, Active Directory, SQL Server, Postgresql) all have the ability to expire users, and to unexpire them if the person ever returns. (That happened to me; my AD account was still there; they just reactivated it...)
In every audit that I've gone through (and I go through them every year because of PCI) the auditors are perfectly happy to see that accounts are disabled. Occasionally they ask to see the log entry generated when one tries to log into Postgresql with an expired account.