...
The process involves a number of account store and resource system settings, EmpowerID system settings and permanent workflows, workflows, Sets and SetGroups. Each of these settings can be enabled and configured to run based on your own particular security needs. Sets and SetGroups are configured out of the box but can be customized as needed. These settings and permanent , workflows, Sets and SetGroups and their function within the cleanup process include the following.
Expand | ||
---|---|---|
| ||
The below image shows the Directory Cleanup Settings on an example account store. |
Expand | ||
---|---|---|
| ||
These settings are used by the Submit Account Terminations workflow.
The below image shows the Configuration Parameters for the resource system associated with an example account store. |
Expand | ||
---|---|---|
| ||
|
Process Flow
SubmitAccountTerminations workflow
...
The process for automating the deactivating and retiring of stale Active Directory user accounts is depicted in the below image. An explanation of the process follows the image.
...
Submit Account Terminations workflow
This workflow claims account stores where CleanUpEnabled is set to true and gets the following SetGroup GUIDS from Resource System Config Settings in order to process those groups:
TerminationBeforeProcessingSetGroupGUID — To notify before Move and Disable
TerminationNotProcessedSetGroupGUID — To Move and Disable
TerminationProcessedSetGroupGUID — To Terminate. Processes This setting specifies the GUID of the SetGroup containing all people needing to receive notification of a pending move and disabling of a user account.
TerminationNotProcessedSetGroupGUID — This setting specifies the GUID of the SetGroup containing all user accounts to be be moved and disabled.
TerminationProcessedSetGroupGUID — This setting specifies the GUID of the SetGroup containing all user accounts to be terminated. The workflow processes one account store at a time, claiming all accounts in an account store that is in the SetGroup.
If CleanUpReportModeOnly is set to true, all the account processing steps are ignored and the account’s AccountOrganizationStatusID is set to 3 (TerminationPending). This logs everything that the workflow would do if Report Only Mode was turned off.
Else if CleanUpReportModeOnly is turned off and whether CleanUpStaleAccountOU has a valid External OrgZone.
If the CleanUpStaleAccountOU setting on the account store is not valid, the account store is ignored, No accounts will be disabled and moved. Else it continues to claim the accounts and process the claimed accounts.
If the number of accounts in the account store reaches the specified threshold, the SubmitAccTerminationsApproval workflow is invoked.
Else if the number of accounts of the account store is under the ThresholdOnAccounts Resource System Config Setting value, SubmitAccountTerminations workflow moves the accounts to the OU specified by the CleanUpStaleAccountOU setting.
If the DisabledAccountOnMove setting on the Workflow parameters is set to true, the accounts are disabled when moved. Else ; else the accounts are not disabled and moved.
When an account is moved, the AccountOrganizationStatusID is set to 5 (Transfer) and the TransferDate is set to current date and time on the account.
Emails are sent to manager and admin after the account is moved. EmailTemplateManagerMoveNotification and EmailTemplateAdminMoveNotification are used as templates to send emails.
The AdminManagementRoleGuids workflow parameter determines which admin users should receive the email notification.
Once the emails are sent, an AssigneeNotification is inserted for that
...
account and will not be claimed again to send notifications before moving accounts.
The
...
accounts claimed earlier
...
for termination will be processed by
...
invoking the Terminate Account Advanced workflow for each
...
account that is to be terminated.
...
Submit Acc Terminations Approval workflow
...
This workflow creates
...
an approval task for all accounts belonging to the Management Role specified by
...
the ApprovalApproverManagementRoleGUID parameter of the Submit Account Terminations workflow. At least one user belonging to the Management Role needs to select and approve each account to be terminated.
Once a task is created for
...
an account store, the TaskApprovalPendingStatus Resource System Config Setting is set to true. This prevents the system from
...
recreating the task
...
.
If the task is approved, all
...
accounts selected from the Task Approval Form of the workflow are disabled and moved,
...
and
...
the TaskApprovalPendingStatus setting is set to false.
...
Terminate Account Advanced workflow
This workflow claims
...
all accounts approved for termination, moves and terminates
...
each one, setting the AccountOrganizationStatusID =
...
2 (Terminated).
Once
...
an account is terminated,
...
the workflow checks whether the NotifyManager and
...
The workflow gets the template from the EmailTemplateManagerDeletionNotification setting in order to send emails to managers.
...
The workflow gets the template from the EmailTemplateAdminDeletionNotification to send emails to admin users.
...
The workflow send emails to each person in the SetGroup specified by the AdminManagementRoleGuids setting.
...
the NotifyAdminManagementRole parameters are set to true.
If NotifyManager and NotifyAdminManagementRole are set to true, the workflow checks the EmailTemplateManagerDeletionNotification and the EmailTemplateAdminDeletionNotification parameters for the email template that is to be used to send emails to the managers of each terminated user, as well as all admin users belonging to the Management Role specified by the AdminManagementRoleGuids parameter.