From 11b87d2d7d91230756d90a9fc0ad9d479d4ae24d Mon Sep 17 00:00:00 2001 From: Harshil Sharma Date: Mon, 4 May 2026 15:07:34 +0530 Subject: [PATCH 1/2] Added docs for deletion summary feature --- .../manage/admin/content-flagging.rst | 53 +++++++++++++++---- 1 file changed, 43 insertions(+), 10 deletions(-) diff --git a/source/administration-guide/manage/admin/content-flagging.rst b/source/administration-guide/manage/admin/content-flagging.rst index 8c2c1956dcf..e700ad70a57 100644 --- a/source/administration-guide/manage/admin/content-flagging.rst +++ b/source/administration-guide/manage/admin/content-flagging.rst @@ -93,16 +93,49 @@ Once an action is taken, the **Status** field updates automatically. The **Data Deleted messages ~~~~~~~~~~~~~~~~ -When a reviewer permanently removes a quarantined message, the message and all associated data are deleted from the database and can't be recovered, including: - -- Message content and properties: The text of the message and any associated post properties. -- File metadata: Information about files attached to the message (e.g., file names, IDs, and links to storage). -- File metadata from edit history: Information about files attached to earlier versions of the message. -- Edit history: All previous versions of the message and their timestamps. -- Uploaded files: The actual files stored in Mattermost’s file storage (local, S3, etc.). -- Priority data: Any message priority or importance settings. -- Acknowledgements: Records of users who acknowledged the message. -- Reminders: Any reminders created for the message. +When a reviewer permanently removes a quarantined message, the message and all associated data are deleted from the database and can't be recovered. The deletion covers: + +- **Post record**: The text of the message and any associated post properties. The content is scrubbed before the post is deleted. +- **File attachments**: The files stored in Mattermost's file storage (local, S3, etc.). +- **File attachment records**: The file info database rows for the message, including file names, IDs, and links to storage. +- **Edit history**: Every prior revision of the message, along with file metadata from each revision. +- **Priority metadata**: Any message priority or importance settings. +- **Persistent notifications**: Any recurring notifications attached to the message. +- **Acknowledgements**: Records of users who acknowledged the message. +- **Reminders**: Any reminders created for the message. +- **Thread, replies, and reactions**: The thread record, replies, and reaction data associated with the message. + +Post deletion report +~~~~~~~~~~~~~~~~~~~~ + +When a reviewer selects **Remove message**, the **Data Spillage Bot** posts a **Post Deletion Report** into the reviewer's content review thread for that quarantined message. The report is delivered to every reviewer who received the original quarantine notification, and is localized to each reviewer's language. Each post includes a short summary rendered inline, and a full report attached as a Markdown file named ``deletion_report_.md``. + +The report records every cleanup step performed against the message and its associated data. The steps map directly to the data scope listed in :ref:`administration-guide/manage/admin/content-flagging:deleted messages`: + +- **File attachments**: Files removed from file storage. +- **File attachment records**: File info database rows for the message. +- **Edit history**: Every prior revision of the message. Each revision is reported as its own sub-step so that reviewers can see exactly which revisions were cleared. +- **Priority metadata**: Message priority and importance settings. +- **Persistent notifications**: Recurring notifications attached to the message. +- **Acknowledgements**: Records of users who acknowledged the message. +- **Reminders**: Reminders set on the message. +- **Thread, replies, and reactions**: The thread record, replies, and reaction data associated with the message. +- **Post record**: The post itself. The content is scrubbed before the post is deleted. + +Each step is assigned one of the following statuses: + +- **Removed** ✅: The data was successfully deleted. +- **Not applicable** ➖: There was no data of this type to delete. +- **Partial** ⚠️: Some items of this type were deleted, but at least one failed. This status most often appears under **Edit history** when one revision can't be deleted. +- **Failed** ❌: The step didn't complete. The report includes an error log so reviewers and System Administrators can inspect what went wrong. + +When every step is **Removed** or **Not applicable**, no further action is required. The report serves as the auditable record of the deletion. + +When any step reports **Partial** or **Failed**, the report displays an *incomplete* warning. Reviewers should escalate to a System Administrator, who can use the attached ``deletion_report_.md`` file - including the full per-step error log - to perform manual remediation and confirm that the data is fully removed. + +.. note:: + + The post deletion report is the single source of truth for post-removal auditing. It isn't stored elsewhere in the System Console, so the reviewer thread containing the report should be retained in line with your organization's audit retention policy. Best practice recommendations ----------------------------- From b615f945cc3c3bf0143d14d3952ceeed1abdd6be Mon Sep 17 00:00:00 2001 From: Harshil Sharma Date: Tue, 5 May 2026 19:40:45 +0530 Subject: [PATCH 2/2] Review fixes --- .../manage/admin/content-flagging.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/source/administration-guide/manage/admin/content-flagging.rst b/source/administration-guide/manage/admin/content-flagging.rst index e700ad70a57..f125c1102a6 100644 --- a/source/administration-guide/manage/admin/content-flagging.rst +++ b/source/administration-guide/manage/admin/content-flagging.rst @@ -93,7 +93,7 @@ Once an action is taken, the **Status** field updates automatically. The **Data Deleted messages ~~~~~~~~~~~~~~~~ -When a reviewer permanently removes a quarantined message, the message and all associated data are deleted from the database and can't be recovered. The deletion covers: +When a reviewer permanently removes a quarantined message, the message and all associated data are deleted from the database and file system and can't be recovered. The deletion covers: - **Post record**: The text of the message and any associated post properties. The content is scrubbed before the post is deleted. - **File attachments**: The files stored in Mattermost's file storage (local, S3, etc.). @@ -103,12 +103,12 @@ When a reviewer permanently removes a quarantined message, the message and all a - **Persistent notifications**: Any recurring notifications attached to the message. - **Acknowledgements**: Records of users who acknowledged the message. - **Reminders**: Any reminders created for the message. -- **Thread, replies, and reactions**: The thread record, replies, and reaction data associated with the message. +- **Thread, replies, and reactions**: The thread record, replies, and reaction data, if any, associated with the message. Post deletion report ~~~~~~~~~~~~~~~~~~~~ -When a reviewer selects **Remove message**, the **Data Spillage Bot** posts a **Post Deletion Report** into the reviewer's content review thread for that quarantined message. The report is delivered to every reviewer who received the original quarantine notification, and is localized to each reviewer's language. Each post includes a short summary rendered inline, and a full report attached as a Markdown file named ``deletion_report_.md``. +When a reviewer selects **Remove message**, the **Data Spillage Bot** posts a **Post Deletion Report** into the reviewer's content review thread for that quarantined message. The report is delivered to every reviewer who received the original quarantine notification, and is localized to each reviewer's language. Each post includes a short summary rendered inline, and a full report attached as a Markdown file named ``deletion_report_.md``. The report records every cleanup step performed against the message and its associated data. The steps map directly to the data scope listed in :ref:`administration-guide/manage/admin/content-flagging:deleted messages`: @@ -140,4 +140,4 @@ When any step reports **Partial** or **Failed**, the report displays an *incompl Best practice recommendations ----------------------------- -Before rolling out Data Spillage Handling organization-wide, we recommend communicating that the feature protects both users and the organization from accidental data spillage. Start with a pilot team to validate reviewer notifications and workflows, integrate the process with existing data-handling or incident-response playbooks, and require reporter and reviewer comments to ensure every decision is transparent and auditable. \ No newline at end of file +Before rolling out Data Spillage Handling organization-wide, we recommend communicating that the feature protects both users and the organization from accidental data spillage. Start with a pilot team to validate reviewer notifications and workflows, integrate the process with existing data-handling or incident-response playbooks, and require reporter and reviewer comments to ensure every decision is transparent and auditable.