Whether unused user accounts can be disabled automatically or manually depends on the capabilities of the respective target systems and your company IT policies. Define processes suitable for notifying administrators, managers, or other responsible parties of unused user accounts and disable the affected user accounts.
To find and disabled unused user accounts
-
In the Designer, set the TargetSystem | UNS | UnusedUserAccountThresholdInDays | DaysUntilDisable and enter the value as the number of days after which unused user accounts should be disabled. The default value is 180 days.
-
(Optional) Assign identities to the Identity & Access Governance | Company policies | Exception approvers application role if they are to be informed about the user accounts involved. These are allowed to approve exceptions if necessary.
-
In the Manager, select the Company Policies > Basic configuration data > Exception approvers category.
-
Select the Assign identities task.
-
In the Add assignments pane, add identities.
TIP: In the Remove assignments pane, you can remove assigned identities.
To remove an assignment
-
Select the identity and double-click .
-
- Save the changes.
-
-
(Optional) Check whether policy violation notifications are setup.
For more information about this, see the One Identity Manager Company Policies Administration Guide.
-
Enable the working copy of the Unused user accounts can be disabled.
-
In the Manager, select the Company policies > Policies > Working copies of policies > Predefined category.
-
Select the working copy in the result list.
-
Select Enable working copy.
- Confirm the security prompt with Yes.
- Enable the original policy. Confirm the prompt with Yes.
This starts the policy check.
TIP: If an enabled company policy already exists, you can start the policy check with the Recalculate policy task.
A predefined schedule starts the policy check once a month.
-
-
Check all the user accounts that violate the policy and disable them.
-
To automatically disabled unused user accounts, create target system-specific processes that run when new policy violations occur.
-