We are using IIQ8.4P2. We have used loopback connector to onboard IIQ as IAM application.
Can we disable users directly in the IAM application if they have not logged in for 90 days?
How can we re-enable a user after they have been disabled?
Hi @jespaancy
While not a direct solution, these resources could help you understand the lock and unlock functionality and achieve your self-service unlock use cases.
@jespaancy the one option, you can create your own scheduled task then will check lastLogonTimestamp and make it disable.
some thread to get some idea : Disabling only AD Accounts for those user’s who are not login from 90 Day’s - IdentityIQ (IIQ) / IIQ Discussion and Questions - SailPoint Developer Community
hi Kumar,
I’m asking about the IIQ app itself, not AD or any other applications.
@jespaancy you mean you have inactive identity attribute that you want to make it true/ false ? Can you give more details here ?
hi Kumar,
we have on boarded many app but we want to disable user on iiq app itself that onboarded with loopback connector
Regards,
Jespa
Hi @jespaancy
The topic which I have shared is relevant to your requirement, but it is manual process to update each identity by System Administrator.
You can lock the account by enable the identity attribute as below:
lock=“1” will appear in identity xml under debug pages.
Object Browser – > select Identity – > search for identity: X1001005 (for example)
This attribute will set in Identity profile by IIQLock. After updating true value on this attribute, User will not be able to login in SailPoint IIQ.
- lock
<Identity lock="1" created="XXXX" id="XXXXXXXX" name="X1001005" password="xyxyxy" >
- unlock: just delete the entire lock flag.
<Identity created="XXXX" id="XXXXXXXX" name="X1001005" password="xyxyxy" >
both the scenario’s working fine with the identity attribute lock flag
The same we need to automate based on last log in date > 90 days.
I primarily use the Loopback connector to manage workgroup membership. You can also use it to manage Capabilities, but I prefer to not assign those directly… I use workgroups.
I haven’t ever really thought about what the consequences of setting a user to Inactive will mean; does it mean the user can’t log in, even with a proper login? What you mean by “disable” I am going to assume is “prevent user from logging in”. There’s no lock or unlock on the Identity, that concept applies to target application accounts, such as LDAP / AD accounts.
I just ran a quick test using my sandbox, where I set the Inactive field to be editable and then set a user’s Identity to inactive. I was still able to log into that identity using the (still enabled) active directory account. That’s mainly because I am not setting a target on the inactive field. I wouldn’t recommend using a synchronize (target) setting on inactive; I would rather use a workflow. I almost always have inactive=true meaning call the Leaver workflow.
Not sure if this answers your question, feel free to tag me. I don’t get on this very often (I tend to spend my time on paying work). Tagging me will send me an email.
hi Keith,
Thanks for the explanation. In our scenario, if a user hasn’t logged into IIQ using their AD account for 90 days, we need to disable or deactivate that account in IIQ so that they can no longer log in—only within IIQ. If this is not feasible, we’ll need to inform our management. That’s why I raised this case—to get answers from experts like you.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.