Chat now with support
Chat with Support

Identity Manager 9.2.1 - Behavior Driven Governance Administration Guide

Identifying and disabling unused user accounts

Whether unused user accounts can be disabled automatically or manually depends on the capabilities of the respective target systems and your company IT policies. Define processes suitable for notifying administrators, managers, or other responsible parties of unused user accounts and disable the affected user accounts.

To find and disabled unused user accounts

  1. In the Designer, set the TargetSystem | UNS | UnusedUserAccountThresholdInDays | DaysUntilDisable and enter the value as the number of days after which unused user accounts should be disabled. The default value is 180 days.

  2. (Optional) Assign identities to the Identity & Access Governance | Company policies | Exception approvers application role if they are to be informed about the user accounts involved. These are allowed to approve exceptions if necessary.

  3. (Optional) Check whether policy violation notifications are setup.

    For more information about this, see the One Identity Manager Company Policies Administration Guide.

  4. Enable the working copy of the Unused user accounts can be disabled.

    This starts the policy check.

    TIP: If an enabled company policy already exists, you can start the policy check with the Recalculate policy task.

    A predefined schedule starts the policy check once a month.

  5. Check all the user accounts that violate the policy and disable them.

    • To automatically disabled unused user accounts, create target system-specific processes that run when new policy violations occur.

Related topics

Identifying and deleting unused user accounts

Whether unused user accounts can be deleted automatically or manually depends on the capabilities of the respective target systems and your company IT policies. Define processes suitable for notifying administrators, managers, or other responsible parties of unused user accounts and delete the affected user accounts.

To find and delete unused user accounts

  1. In the Designer, set the TargetSystem | UNS | UnusedUserAccountThresholdInDays | DaysUntilDelete and enter the value as the number of days after which unused user accounts should be disabled. The default value is 360 days.

  2. (Optional) Assign identities to the Identity & Access Governance | Company policies | Exception approvers application role if they are to be informed about the user accounts involved. These are allowed to approve exceptions if necessary.

  3. (Optional) Check whether policy violation notifications are setup.

    For more information about this, see the One Identity Manager Company Policies Administration Guide.

  4. Enable the working copy of the Unused user accounts can be deleted.

    This starts the policy check.

    TIP: If an enabled company policy already exists, you can start the policy check with the Recalculate policy task.

    A predefined schedule starts the policy check once a month.

  5. Check all the user accounts that violate the policy and delete them.

    • To automatically delete unused user accounts, create target system-specific processes that run when new policy violations occur.

Related topics

Configuration parameters for behavior driven governance

The following configuration parameters are relevant for behavior driven governance

Table 1: Overview of configuration parameters for behavior driven governance

Configuration parameter

Description

TargetSystem | OneLogin | UnusedApplicationThresholdInDays

Number of days after which access to OneLogin applications is considered to be unused (default: 90).

TargetSystem | PAG | UnusedThresholdInDays

Number of days after which a privileged object, entitlement, or user is considered unused (default: 90).

TargetSystem | UNS | UnusedUserAccountThresholdInDays

Number of days after which a user account is considered to be unused (default: 90).

TargetSystem | UNS | UnusedUserAccountThresholdInDays | DaysUntilDelete

Number of days after which an unused user account should be deleted (default: 365).

TargetSystem | UNS | UnusedUserAccountThresholdInDays | DaysUntilDisable

Number of days after which an unused user account should be disabled (default: 180).

QER | Attestation | AutoRemovalScope and all configuration subparameters

General configuration parameter for defining automatic withdrawal of memberships/assignments if attestation approval is not granted.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating