The identity has temporarily left the company and is expected to return at a predefined date. The desired course of action could be to disable the user account and remove all group memberships. Or the user accounts could be deleted and restored on reentry even if it is with a new system identification number (SID).
Temporary deactivation of an identity is triggered by:
NOTE:
-
Configure the Lock accounts of identities that have left the company schedule in the Designer. This schedule checks the start date for deactivating and sets the Temporarily inactive option when it is reached.
-
In the Designer, configure the Enable temporarily disabled accounts schedule. This schedule monitors the end date of the inactive period and activates the identity with their user accounts when the period expires. Identity's user accounts that were disabled before the period of temporary absence are also re-enabled once the period has expired.
Scenario: User accounts are linked to identities and are managed through account definitions.
-
Specify in the account definitions, how temporarily deactivating identities affects their user accounts. In each manage level you can use the Lock user accounts if temporarily disabled option to define whether the user accounts remain enabled or are locked while they are disabled.
-
Specify in the account definitions, how temporary deactivation of identities affects their user accounts' group memberships. In each manage level you can use the Retain groups if temporarily disabled option to define whether the user accounts' group memberships are retained or removed when identities are deactivated.
Scenario: User accounts are linked to identities. No account definition is applied.
-
Specify the desired behavior using the QER | Person | TemporaryDeactivation configuration parameter. If the configuration parameter is set, an identity's user accounts are locked while the identity is deactivated. If the configuration parameter is not set, the properties of the linked identity do not effect the user accounts.
-
The user accounts keep their group memberships. Implement company-specific processes to remove group memberships as required.
Related topics
Identities can be deactivated permanently when, for example, they leave the company. It might be necessary, to remove access to this identity's entitlements in connected target systems and their company resources.
Effects of permanent deactivating an identity are:
-
The identity cannot be assigned to identities as a manager.
-
The identity cannot be assigned to roles as a supervisor.
-
The identity cannot be assigned to attestation policies as an owner.
-
There is no inheritance of company resources through roles, if the additional No inheritance option is set for an identity.
-
The identity's user accounts are locked or deleted and then removed from group memberships.
Permanent deactivation of an identity is triggered by:
-
The Deactivate identity permanently task
This task ensures that the Permanently deactivates option is enabled and the leaving date and last working day are set to the current date.
-
The leaving date is reached
NOTE:
-
In the Designer, check the Lock accounts of identities that have left the company schedule. This schedule regularly checks the leaving date and sets the Permanently deactivated option on reaching the date.
-
The Re-enable identity task ensures that the identity is re-enabled.
-
The Denied certification status
If an identity's certification status is set to Denied manually or as a result of attestation, the identity is immediately deactivated permanently. If the identity's certification status is changed to Certified, the identity is activated again.
NOTE: This function is only available if the Attestation Module is installed.
Scenario: User accounts are linked to identities and are managed through account definitions.
-
Specify in the account definitions, how permanently deactivating an identity affects the user account. In each manage level you can use the Lock user accounts if permanently disabled option to define whether the user accounts remain enabled or are locked while they are disabled.
-
Specify in the account definitions, how permanent deactivation of an identity affects their user accounts' group memberships. In each manage level you can use the Retain groups if permanently disabled option to define whether the user accounts' group memberships are retained or removed when an identity is deleted.
Scenario: User accounts are linked to identities. No account definition is applied.
-
Specify the desired behavior using the QER | Person | TemporaryDeactivation configuration parameter. If the configuration parameter is set, the identity's user accounts are locked while the identity is deactivated. If the configuration parameter is not set, the identity's properties do not have any effect on the associated user accounts.
-
The user accounts keep their group memberships. Implement company-specific processes to remove group memberships as required.
Related topics
When an identity is deleted, it is tested to see if user accounts and company resources are still assigned, or if there are still any requests pending in the IT Shop. The identity is marked for deletion and therefore locked out of further processing.
By default, identities are finally deleted from the database after 30 days. During this period it is possible to re-activate the identity. A restore is not possible once deferred deletion has expired.
Before an identity can finally be deleted from the One Identity Manager database, you need to delete all company resource assignments and close all requests. You can do this manually or implement custom processes to do it.
All the user accounts linked to an identity could be deleted by default by One Identity Manager once this identity has been deleted. If no more company resources are assigned, the identity is deleted permanently.
Scenario: User accounts are linked to identities and are managed through account definitions.
Scenario: User accounts are linked to identities. No account definition is applied.
Related topics
If user accounts are managed through account definitions, you can specify the desired behavior for handling user accounts and group memberships through account definitions and manage levels for temporary disabling, permanent disabling, deletion, and security risk to identities.
You can define special handling for each target system belonging to a target system type, through the relationship between the target system and account definition. For more information, see Using account definitions to create user accounts.
Assigning account definitions to identities
The effects on account definition inheritance of temporary disabling, permanent disabling, deletion, and security risk to identities is specified for each account definition. The settings of previous account definitions are overwritten.
You may want identities that are disabled or marked for deletion to inherit account definitions to ensure that all necessary permissions are made immediately available when the identity is reactivated at a later time.
IMPORTANT: As long as an account definition applies to an identity, this identity keeps its linked user accounts. If the account definition assignment no longer applies, the user account created through this account definition is deleted.
The following user account definition options are available for mapping behavior.
Table 4: Main data of an account definition for the assignment behavior of the account
|
Retain account definition if permanently disabled |
Specifies the account definition assignment to permanently deactivated identities.
Option set: the account definition assignment remains in effect. The user account stays the same.
Option not set: the account definition assignment is not in effect. The associated user account is deleted. |
|
Retain account definition if temporarily disabled |
Specifies the account definition assignment to temporarily deactivated identities.
Option set: the account definition assignment remains in effect. The user account stays the same.
Option not set: the account definition assignment is not in effect. The associated user account is deleted. |
|
Retain account definition on deferred deletion |
Specifies the account definition assignment on deferred deletion of identities.
Option set: the account definition assignment remains in effect. The user account stays the same.
Option not set: the account definition assignment is not in effect. The associated user account is deleted. |
|
Retain account definition on security risk |
Specifies the account definition assignment to identities posing a security risk.
Option set: the account definition assignment remains in effect. The user account stays the same.
Option not set: the account definition assignment is not in effect. The associated user account is deleted. |
Handling user accounts and identities
The effects on user accounts of temporary disabling, permanent deactivating, deletion, and security risk of an identity is specified for each manage level.
In order to remove permissions from an identity when they are being deactivated or deleted, the identity’s user accounts can be locked. If the identity is reinstated at a later date, the user accounts are also reactivated.
The following options are available for each manage level on an account definition for handling user accounts.
Table 5: Main data for a manage level for handling user accounts
|
Lock user accounts if temporarily disabled |
Specifies whether user accounts of temporarily deactivated identities are locked. |
|
Lock user accounts if permanently disabled |
Specifies whether user accounts of permanently deactivated identities are locked. |
|
Lock user accounts if deletion is deferred |
Specifies whether user accounts of identities marked for deletion are locked. |
|
Lock user accounts if security is at risk |
Specifies whether user accounts of identities posing a security risk are locked. |
Inheritance of group memberships by the identity's user accounts
The effects on user accounts of temporary deactivation, permanent deactivation, deletion, and security risk of an identity is specified for each manage level.
If an identity is deactivated or marked for deletion, inheritance of groups memberships can be suppressed for the account definition target system. You might want this behavior if an identity's user accounts and mailboxes are locked and therefore cannot be included in distribution lists. During this deactivation period, no inheritance processes should be calculated for this identity. Existing group memberships are deleted.
The following options are available for each manage level on an account definition for handling group memberships.
Table 6: Master data of a manage level for handling group memberships
|
Retain groups if temporarily disabled |
Specifies whether user accounts of temporarily deactivated retain their group memberships. |
|
Retain groups if permanently disabled |
Specifies whether user accounts of permanently deactivated identities inherit group memberships. |
|
Retain groups on deferred deletion |
Specifies whether user accounts of identities marked for deletion retain their group memberships. |
|
Retain groups on security risk |
Specifies whether user accounts of identities posing a security risk retain their group memberships. |
|
Retain groups if user account disabled |
Specifies whether disabled user accounts retain their group memberships. |
Related topics
