We need to disable accounts for inactivity after 120 days of no login and detect when account is re-activated and ensure no disablement for 7 more days i.e. provide a 7 day grace period. It does not seem to be possible to meet this requirement since we cannot set an identity attribute, or set an account attribute. Without using lifecycle states (which seems risky) is there a way to do this? appreciate any and all suggestions. thank you
hey Phebe!
yes theres multiple ways to achive your desire result, belo a example
- Create a Identity Attribute with the lastLogin Info
That way you can use calculations to trigger a Workflow. for example grab the lastLogin info from AD and calculate the change trhough it.
Another way is to see the lastPasswordChange for the account and also trigger workflows to Block, Send notification, or even use it to change the cloudLifecycleState on the IdentityProvisioning.
Cheers,
Ivan
I’m not following how that will meet the needs for the grace period?
I guess you are referring to Active Directory source. Even if it is not, that is fine.
If it is AD, we have User Account Control (UAC) attribute. You can set 514 when user doesn’t login for 120 days.
Create an identity attribute for UAC and attach a Transform to it, which read lastLogonTimeStamp from AD source. Use this Identity attribute in AD provisioning and in attribute sync.
Now coming to the 2nd part, how the account gets re-activated ? manually at AD end ? If yes then ask them to clear the lastLogonTimeStamp as well. Something you need to detect that user is re-activated after 120 days on inactivity.
I assume your requirement is, user didn’t login for 120 days, so you disabled the AD account. Later user placed a request to Enable the account outside SailPoint scope. So user AD account got enabled, then user will login almost immediately to verify at least or to do the work. Then user lastLogonTimeStamp is already updated. What are the chances of user not logging in even after requesting for account enable ?