Prevent deletion of the organization that is used as plateforme organization or attibuted to a user

[aHenryJard]

Description

Prevent deletion of the organization that is used as plateforme organization or attibuted to a user.

Environment

1. OS (where OpenCTI server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. }
2. OpenCTI version: { e.g. OpenCTI 1.0.2 } 6.3.7
3. OpenCTI client: { e.g. frontend or python }
4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

scenario 1

1. Set a platform organization (let's say "Org1")
2. Go to Entities > Organization
3. Search and delete "Org1"

scenario 2

1. In a user detail, add an organization (let's say "Org2")
2. Go to Entities > Organization
3. Search and delete "Org2"

Expected Output

scenario 1 => in security > policy : plateform orga disapear, but in database there is still an org id in settings
scenario 2 => in user detail > orga disappear and there is a dash instead

Actual Output

scenario 1 => in security > policy : plateform orga should stay*
scenario 2 => in user detail > orga should stay

Additional information

Verify that the rentention policy still works when there is an plateform orga in the list of "old" data.

Screenshots (optional)

[SouadHadjiat]

About retention policy, I think it can be risky to include organizations as entities that can be deleted by retention manager, since organizations are possible authors of knowledge (+ can be plaform orga or attributed to users). We might loose the information that organizations created knowledge because retention manager lists entities by modification date. What should we do ? @nino-filigran

[nino-filigran]

Hello @SouadHadjiat & @aHenryJard! I've talked with @romain-filigran about this topic & the expected output is not the correct one:

• we should not allow the deletion of any entity that is either platform orga AND/OR associated to any users.

This should apply also on retention policies.
Regarding the fact of deleting an orga that is potentially an author, we do not yet have any strong opinion on the topic, given that you can still have in theory, the presence of the org directly in the audit log.