8.4P2
Hi All,
We are planning to implement Autodisabling of identities and accounts which are inactive for more months. And after some days, either deletion or archiving of accounts will be done.
Kindly share you insights/thoughts to implement this.
Thanks
Hola @divsubha,
I am doing the same thing in this moment. For my environment I choose a rule where I search the identities that have the requirements and I disable it.
Also, if you dont have too much complex conditions you can use RapidSetup configuration. I think its the best way because you can set a general conditions to execute the Leaver process and specific condition foreach applications.
For example, for the Rapid setup general you set the conditions for the Leaver and on Rapid setup application you can set the number of day after the leaver to disable\delete.
I just created a Java task definition for this and added it to our open-source IIQ utility library -
Hi @enistri_devo, Could you please let me know the best practice to handle users after disablement? Should it be deleted or archived?
Also, while disabling users, do you remove all the roles from users? and/or add anything in description (to identify how users are disabled?)
about me, the best and easier way is with rapidsetup.
you must set the conditions for the leaver trigger and later foreach application you can decide the behavior.
for example, on AD, I setup to disable, remove ent and move account when the leaver was launched. Also, after 365 days, the account will be deleted.
Do you delete the identities or just the accounts?
You can write rule for same and convert this into task. As per requirement you can schedule it.
with that you delete the accounts.
To delete identities you can use the Prune identity task to delete empties identies.
Also, you can use the same configuration of Rapid Setup on a loopback connector. In this case the delete account on a loopback connector will delete the identity.
I think I would suggest to create a rule or then schedule it as a task. If you getting the lastlogin time stamp attribute for the applicantion, where you want to implement it.
just get that value, and set your condition, create a plan and delete/disable identities in the target application.
Once done schedule it, on how frequently you want to run it.
