Versions Compared

Old Version 8

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 9

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The process involves a number of account store and resource system settings, EmpowerID system settings and permanent workflows, workflows, Sets and SetGroups. Each of these settings can be enabled and configured to run based on your own particular security needs. Sets and SetGroups are configured out of the box but can be customized as needed. These settings and permanent , workflows, Sets and SetGroups and their function within the cleanup process include the following.

Expand
titleAccount Store Directory Cleanup Settings

  • Directory Clean Up Enabled — This setting specifies whether the Submit Account Terminations permanent workflow should claim the account store for processing account terminations. When enabled, accounts in the account store that meet the qualifications are moved into a special OU within the external directory and disabled.

  • Report Only Mode (No Changes) — When enabled, EmpowerID generates a report of what the Directory Clean Up process would do if it was fully implemented. The process itself is ignored and all accounts are set to Termination Pending.

  • OU to Move Stale Accounts — This setting specifies the external directory in which to move accounts marked for termination. The OU must exist in Active Directory.

The below image shows the Directory Cleanup Settings on an example account store.

Image Added

Expand
titleResource System SettingsConfiguration Parameters

These settings are used by the Submit Account Terminations workflow.

  • ApprovalApproverManagementRoleGUID — This setting specifies the GUID of the Management Role containing people who should receive notification that they need to approve the deletion of the stale accounts selected for termination.

  • SubmitAccountTerminationsApprovalInitiatorPersonID — This setting specifies the PersonID of the EmpowerID Person used to approve account terminations.

  • TaskApprovalPendingStatus — This setting is a Boolean that specifies whether a task for the account store is pending approval. The value is set by the Submit Account Terminations workflow when a task has been submitted for approval. This prevents the task from being created more than one time.

  • TerminationAccountAdvancedInitiatorPersonID — This setting specifies the PersonID of the EmpowerID Person used to initiate the TerminateAccountAdvanced workflow. This workflow is used by the EmpowerID system to terminate all people submitted to it. As a best practice, the Person account you use should not belong to an actual EmpowerID user.

  • TerminationNotProcessedSetGroupGUID — This setting specifies the GUID of the SetGroup containing all user accounts to be be moved and disabled.

  • TerminationBeforeProcessingSetGroupGUID — This setting specifies the GUID of the SetGroup containing all people needing to receive notification of a pending move and disabling of a user account.

  • TerminationProcessedSetGroupGUID — This setting specifies the GUID of the SetGroup containing all user accounts to be terminated. Claims the accounts of one account store at at time belonging to the respective SetGroup.

  • ThresholdOnAccounts — This setting specifies the maximum number of user accounts that can be processed at a given time.

The below image shows the Configuration Parameters for the resource system associated with an example account store.

Image Added

Expand
titleWorkflows

  • Submit Account Terminations — This is a permanent workflow that claims user accounts meeting the criteria for cleanup in account stores (managed external user directories) where CleanUpEnabled is set to true. The workflow processes the claimed accounts based on the values given to the following parameters.

    • AdminManagementRoleGuids — This parameter specifies the GUID of the Management Role containing all people delegated to receive notification of accounts meeting the criteria for cleanup.

    • DeleteAccountXDaysAfterMove — This parameter

    • DisableAccountOnMove — This parameter takes a Boolean value of true or false. When set to true, the workflow disables the accounts when moved into the specified OU.

    • EmailTemplateAdminPreMoveNotification — This parameter specifies the email to be used when notifying admins that one or move more user accounts have been selected to be moved to the specified OU.

    • EmailTemplateAdminMoveNotification — This parameter specifies the email template to be used when notifying admin users that one or more user accounts have been moved to the specified OU.

    • EmailTemplateManagerPreMoveNotification — This parameter specifies the email template to be used when notifying managers that one or more user accounts belonging to their direct reports have been selected to be moved to the specified OU..

    • EmailTemplateManagerMoveNotification — This parameter specifies the email template to be used when notifying managers that one or more user accounts belonging to their direct reports have been moved to the specified OU.

    • EmailXDaysBeforeMove — This parameter

    • MoveAccountXDaysDisabled — This parameter

    • MoveAccountXDaysNoLogin — This parameter

  • Submit Account Terminations Approval — This workflow creates an approval task and routes the task to all people belonging to the Management Role specified by the AdminManagementRoleGuids parameter set on the Submit Account Terminations workflow.

  • Terminate Account Advanced — This workflow claims all accounts approved for deletion and deletes them. For each account deleted, the workflow sends email notifications based on the values given to the following parameters:

    • AdminManagementRoleGuids — This parameter specifies the GUID of the Management Role containing all people delegated to receive notification of accounts that have been deleted.

    • EmailTemplateAdminDeletionNotification — This parameter specifies the email to be used when notifying admin users that one or more user accounts have been deleted.

    • EmailTemplateManagerDeletionNotification — This parameter specifies the email to be used when notifying managers users that one or more user accounts belonging to their direct reports have been deleted.

    • NotifyAdminManagementRole — This parameter takes a Boolean value of true or false. When set to true, the workflow sends an email listing all user accounts that have been deleted to all admin users belonging to the Management Role specified by the AdminManagementRoleGuids parameter.

    • NotifyManager — This parameter takes a Boolean value of true or false. When set to true, the workflow sends an email to the managers of users with user accounts that have been deleted.

      The below image shows the parameters for the Terminate Account Advanced workflow.

Process Flow

SubmitAccountTerminations workflow

...

The process for automating the deactivating and retiring of stale Active Directory user accounts is depicted in the below image. An explanation of the process follows the image.

...

Submit Account Terminations workflow

  1. This workflow claims account stores where CleanUpEnabled is set to true and gets the following SetGroup GUIDS from Resource System Config Settings in order to process those groups:

    • TerminationBeforeProcessingSetGroupGUID To notify before Move and Disable

    • TerminationNotProcessedSetGroupGUID — To Move and Disable

    • TerminationProcessedSetGroupGUID — To Terminate. Processes This setting specifies the GUID of the SetGroup containing all people needing to receive notification of a pending move and disabling of a user account.

    • TerminationNotProcessedSetGroupGUID — This setting specifies the GUID of the SetGroup containing all user accounts to be be moved and disabled.

    • TerminationProcessedSetGroupGUID — This setting specifies the GUID of the SetGroup containing all user accounts to be terminated. The workflow processes one account store at a time, claiming all accounts in an account store that is in the SetGroup.

  2. If CleanUpReportModeOnly is set to true, all the account processing steps are ignored and the account’s AccountOrganizationStatusID is set to 3 (TerminationPending). This logs everything that the workflow would do if Report Only Mode was turned off.

  3. Else if CleanUpReportModeOnly is turned off and whether CleanUpStaleAccountOU has a valid External OrgZone.

  4. If the CleanUpStaleAccountOU setting on the account store is not valid, the account store is ignored, No accounts will be disabled and moved. Else it continues to claim the accounts and process the claimed accounts.

  5. If the number of accounts in the account store reaches the specified threshold, the SubmitAccTerminationsApproval workflow is invoked.

  6. Else if the number of accounts of the account store is under the ThresholdOnAccounts Resource System Config Setting value, SubmitAccountTerminations workflow moves the accounts to the OU specified by the CleanUpStaleAccountOU setting.

  7. If the DisabledAccountOnMove setting on the Workflow parameters is set to true, the accounts are disabled when moved. Else ; else the accounts are not disabled and moved.

  8. When an account is moved, the AccountOrganizationStatusID is set to 5 (Transfer) and the TransferDate is set to current date and time on the account.

  9. Emails are sent to manager and admin after the account is moved. EmailTemplateManagerMoveNotification and EmailTemplateAdminMoveNotification are used as templates to send emails.

  10. The AdminManagementRoleGuids workflow parameter determines which admin users should receive the email notification.

  11. Once the emails are sent, an AssigneeNotification is inserted for that

...

  1. account and will not be claimed again to send notifications before moving accounts.

  2. The

...

  1. accounts claimed earlier

...

  1. for termination will be processed by

...

  1. invoking the Terminate Account Advanced workflow for each

...

  1. account that is to be terminated.

...

Submit Acc Terminations Approval workflow

...

  1. This workflow creates

...

  1. an approval task for all accounts belonging to the Management Role specified by

...

  1. the ApprovalApproverManagementRoleGUID parameter of the Submit Account Terminations workflow. At least one user belonging to the Management Role needs to select and approve each account to be terminated.

  2. Once a task is created for

...

  1. an account store, the TaskApprovalPendingStatus Resource System Config Setting is set to true. This prevents the system from

...

  1. recreating the task

...

  1. .

  2. If the task is approved, all

...

  1. accounts selected from the Task Approval Form of the workflow are disabled and moved,

...

  1. and

...

  1. the TaskApprovalPendingStatus setting is set to false.

...

Terminate Account Advanced workflow

  1. This workflow claims

...

  1. all accounts approved for termination, moves and terminates

...

  1. each one, setting the AccountOrganizationStatusID =

...

  1. 2 (Terminated).

  2. Once

...

  1. an account is terminated,

...

  1. the workflow checks whether the NotifyManager and

...

The workflow gets the template from the EmailTemplateManagerDeletionNotification setting in order to send emails to managers.

...

The workflow gets the template from the EmailTemplateAdminDeletionNotification to send emails to admin users.

...

The workflow send emails to each person in the SetGroup specified by the AdminManagementRoleGuids setting.

...

  1. the NotifyAdminManagementRole parameters are set to true.

  2. If NotifyManager and NotifyAdminManagementRole are set to true, the workflow checks the EmailTemplateManagerDeletionNotification and the EmailTemplateAdminDeletionNotification parameters for the email template that is to be used to send emails to the managers of each terminated user, as well as all admin users belonging to the Management Role specified by the AdminManagementRoleGuids parameter.