Identifying and disabling unused user accounts
Whether unused user accounts can be disabled automatically or manually depends on the capabilities of the respective target systems and your company IT policies. Define processes suitable for notifying administrators, managers, or other responsible parties of unused user accounts and disable the affected user accounts.
To find and disabled unused user accounts
-
In the Designer, set the TargetSystem | UNS | UnusedUserAccountThresholdInDays | DaysUntilDisable and enter the value as the number of days after which unused user accounts should be disabled. The default value is 180 days.
-
(Optional) Assign identities to the Identity & Access Governance | Company policies | Exception approvers application role if they are to be informed about the user accounts involved. These are allowed to approve exceptions if necessary.
-
In the Manager, select the Company Policies > Basic configuration data > Exception approvers category.
-
Select the Assign identities task.
-
In the Add assignments pane, add identities.
TIP: In the Remove assignments pane, you can remove assigned identities.
To remove an assignment
- Save the changes.
-
(Optional) Check whether policy violation notifications are setup.
For more information about this, see the One Identity Manager Company Policies Administration Guide.
-
Enable the working copy of the Unused user accounts can be disabled.
-
In the Manager, select the Company policies > Policies > Working copies of policies > Predefined category.
-
Select the working copy in the result list.
-
Select Enable working copy.
- Confirm the security prompt with Yes.
- Enable the original policy. Confirm the prompt with Yes.
This starts the policy check.
TIP: If an enabled company policy already exists, you can start the policy check with the Recalculate policy task.
A predefined schedule starts the policy check once a month.
-
Check all the user accounts that violate the policy and disable them.
Related topics
Identifying and deleting unused user accounts
Whether unused user accounts can be deleted automatically or manually depends on the capabilities of the respective target systems and your company IT policies. Define processes suitable for notifying administrators, managers, or other responsible parties of unused user accounts and delete the affected user accounts.
To find and delete unused user accounts
-
In the Designer, set the TargetSystem | UNS | UnusedUserAccountThresholdInDays | DaysUntilDelete and enter the value as the number of days after which unused user accounts should be disabled. The default value is 360 days.
-
(Optional) Assign identities to the Identity & Access Governance | Company policies | Exception approvers application role if they are to be informed about the user accounts involved. These are allowed to approve exceptions if necessary.
-
In the Manager, select the Company Policies > Basic configuration data > Exception approvers category.
-
Select the Assign identities task.
-
In the Add assignments pane, add identities.
TIP: In the Remove assignments pane, you can remove assigned identities.
To remove an assignment
- Save the changes.
-
(Optional) Check whether policy violation notifications are setup.
For more information about this, see the One Identity Manager Company Policies Administration Guide.
-
Enable the working copy of the Unused user accounts can be deleted.
-
In the Manager, select the Company policies > Policies > Working copies of policies > Predefined category.
-
Select the working copy in the result list.
-
Select Enable working copy.
- Confirm the security prompt with Yes.
- Enable the original policy. Confirm the prompt with Yes.
This starts the policy check.
TIP: If an enabled company policy already exists, you can start the policy check with the Recalculate policy task.
A predefined schedule starts the policy check once a month.
-
Check all the user accounts that violate the policy and delete them.
Related topics
Configuration parameters for behavior driven governance
The following configuration parameters are relevant for behavior driven governance
Table 1: Overview of configuration parameters for behavior driven governance
TargetSystem | OneLogin | UnusedApplicationThresholdInDays |
Number of days after which access to OneLogin applications is considered to be unused (default: 90). |
TargetSystem | PAG | UnusedThresholdInDays |
Number of days after which a privileged object, entitlement, or user is considered unused (default: 90). |
TargetSystem | UNS | UnusedUserAccountThresholdInDays |
Number of days after which a user account is considered to be unused (default: 90). |
TargetSystem | UNS | UnusedUserAccountThresholdInDays | DaysUntilDelete |
Number of days after which an unused user account should be deleted (default: 365). |
TargetSystem | UNS | UnusedUserAccountThresholdInDays | DaysUntilDisable |
Number of days after which an unused user account should be disabled (default: 180). |
QER | Attestation | AutoRemovalScope and all configuration subparameters |
General configuration parameter for defining automatic withdrawal of memberships/assignments if attestation approval is not granted. |