Looking for how to standardize the way we do inactivity disablement. For example, a user may have an Active Directory, Service Now, and SAP account. I want to look at all 3 accounts and look at login activity. If login activity is past certain threshold, I want to disable it.
We have so many rules flying around for different account types that are enforcing the exact same policy. Need suggestions on how to standardize this policy enforcement. Thanks!
Architecture
Here is a proposed architecture. The top level is a Rule and then a Workflow with specified arguments can do the disablement. This rule is triggered by a scheduled task to check for compliance
I’m hoping I get an answer that utilizes standard out-of-box features to implement something simple like this. We have gone so custom that it is getting out of control. Really appreciate the help!
Create a extended searchable attribute on Link object to Hold the last logon Activity or Max inactive days , this attribute should be populated for all accounts on regular aggregations for the application which falls under this feature of dormancy
Now write a schedule rule which can read all the accounts of these apps and having the days more than threshold ( lets assume you configure this in a custom object at each app level) and call either LCM provisioning workflow with Disable operation on all such accounts ( or a Provisioner API call) but make sure you log a audit event for this disablement which can help you identify the account is disabled via this process
