Versions Compared

Old Version 12

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 13

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

As an administrator, you can leverage EmpowerID to automate the process of deactivating and retiring stale user accounts based on your organization’s security policies. Rather than relying on time-consuming and potentially risky manual methods or scripts to mark accounts as inactive, disabling and deleting them based on policy, you can configure a few simple settings in EmpowerID. Not only does this remove the burden and risks associated with other methods, it provides a safety net to mitigate against accidental deletion of any user account by first marking the accounts for deactivation and notifying the managers of those users, as well as other administrators, that the accounts have been identified for cleanup. The managers and administrators must give approval before EmpowerID does anything further with them. If approved, EmpowerID moves those accounts into a designated OU within your directory (for account stores with OUs, like Active Directory), where they remain until their deletion undergoes a multi-step approval process. Accounts not approved for deletion are moved back to their originating OU. Additionally, EmpowerID provides “mock run” capabilities that allow you to generate reports of what would occur in your environment using this feature.

...

Expand
titleAccount Store Directory Cleanup Settings

  • Directory Clean Up Enabled — This setting specifies whether the Submit Account Terminations permanent workflow should claim the account store for processing account terminations. When enabled, accounts in the account store that meet the qualifications are moved into a special OU within the external directory and disabled.

  • Report Only Mode (No Changes) — When enabled, EmpowerID generates a report of what the Directory Clean Up process would do if it was fully implemented. The process itself is ignored and all accounts are set to Termination Pending.

  • OU to Move Stale Accounts — This setting specifies the external directory in which to move accounts marked for termination. The location must exist in the directoryThis setting only appears on account stores with OUs, such as Active Directory.

The below image shows the Directory Cleanup Settings on an example account store.

...

Expand
titleSetGroups (Query-Based Collections)

  • Submit Account Terminations AccountGetPendingTerminationBeforeProcessing — This is a permanent workflow that claims user accounts meeting the criteria for cleanup in account stores (managed external user directories) where CleanUpEnabled is set to true. The workflow processes the claimed accounts based on the values given to the following parameters.

    • AdminManagementRoleGuids — This parameter specifies the GUID of the Management Role containing all people delegated to receive notification of accounts meeting the criteria for cleanup.

    • DisableAccountOnMove — This parameter takes a Boolean value of true or false. When set to true, the workflow disables the accounts when moved into the specified OU.

    • EmailTemplateAdminPreMoveNotification — This parameter specifies the email to be used when notifying admins that one or more user accounts have been selected to be moved to the specified OU.

    • EmailTemplateAdminMoveNotification — This parameter specifies the email template to be used when notifying admin users that one or more user accounts have been moved to the specified OU.

    • EmailTemplateManagerPreMoveNotification — This parameter specifies the email template to be used when notifying managers that one or more user accounts belonging to their direct reports have been selected to be moved to the specified OU.

    • EmailTemplateManagerMoveNotification — This parameter specifies the email template to be used when notifying managers that one or more user accounts belonging to their direct reports have been moved to the specified OU.

  • Submit Account Terminations Approval — This workflow creates an approval task and routes the task to all people belonging to the Management Role specified by the AdminManagementRoleGuids parameter set on the Submit Account Terminations workflow.

  • Terminate Account Advanced — This workflow claims all accounts approved for deletion and deletes them. For each account deleted, the workflow sends email notifications based on the values given to the following parameters:

  • AdminManagementRoleGuids — This parameter specifies the GUID of the Management Role containing all people delegated to receive notification of accounts that have been deleted.

  • EmailTemplateAdminDeletionNotification — This parameter specifies the email to be used when notifying admin users that one or more user accounts have been deleted.

  • EmailTemplateManagerDeletionNotification — This parameter specifies the email to be used when notifying managers users that one or more user accounts belonging to their direct reports have been deleted.

  • NotifyAdminManagementRole — This parameter takes a Boolean value of true or false. When set to true, the workflow sends an email listing all user accounts that have been deleted to all admin users belonging to the Management Role specified by the AdminManagementRoleGuids parameter.

    • NotifyManager — This parameter takes a Boolean value of true or false. When set to true, the workflow sends an email to the managers of users with user accounts that have been deleted

    SetGroup contains all user accounts pending termination that have yet to processed for termination and is used to identify users with accounts that need to be notified that their accounts are pending termination and will be disabled (move and disabled for applicable account stores like Active Directory) their accounts. The default criteria for the accounts being placed in this SetGroup include the following:

    • CleanUp Mode is enabled on the account store with the user accounts and

    • The user account has not been deleted and

    • The user has logged in previously, but has not logged in within 7950 days of the current date or the user account has been disabled for greater than 8000 days and

    • The user account has yet to be transferred to the specified stale OU (where applicable) and

    • The user with the account (and all other specified pending termination notification assignees) have yet to be notified of the pending disabling and termination of their account, or was previously notified 50 days from the current date

  • AccountGetPendingTerminationNotProcessed — This SetGroup contains all user accounts that have yet to be processed for termination but have been notified that their accounts are pending termination. The default criteria for the accounts being placed in the SetGroup include the following:

    • CleanUp Mode is enabled on the account store with the user accounts and

    • The user account has not been deleted and

    • The user has logged in previously, but has not logged in within 7950 days of the current date or the user account has been disabled for greater than 8000 days and

    • The user account has yet to be transferred to the specified stale OU (where applicable) and

    • The user with the account (and all other specified pending notification assignees) have been notified of the pending disabling and termination of their account

  • AccountGetPendingTerminationProcessed — This SetGroup contains all user accounts that are ready for final termination. The default criteria for the accounts being placed in the SetGroup include the following:

    • CleanUp Mode is enabled on the account store with the user accounts and

    • The user account has not been deleted and

    • The user with the account has been notified of the pending termination and

    • The account has been disabled (disabled and moved where applicable) for 30 days

Info

If the account store does not have OUs, accounts identified for cleanup are not moved to a designated before deletion. All other processes remain the same.

Process Flow

The process for automating the deactivating and retiring of stale Active Directory user accounts is depicted in the below image. An explanation of the process follows the image.

...

The steps involved in the above process flow for the three workflows used in the cleanup process is as follows:

Submit Account Terminations workflow

  1. This workflow claims account stores where CleanUpEnabled is set to true and gets the following SetGroup GUIDS from Resource System Config Settings in order to process those groups:

    • TerminationBeforeProcessingSetGroupGUID AccountTerminationBeforeProcessingSetGroupGUID — This setting specifies the GUID of the SetGroup containing all people needing to receive notification of a pending move and disabling of a user account.

    • TerminationNotProcessedSetGroupGUID AccountTerminationNotProcessedSetGroupGUID — This setting specifies the GUID of the SetGroup containing all user accounts to be be moved and disabled.

    • TerminationProcessedSetGroupGUID AccountTerminationProcessedSetGroupGUID — This setting specifies the GUID of the SetGroup containing all user accounts to be terminated. The workflow processes one account store at a time.

  2. If CleanUpReportModeOnly The workflow then checks to see if the CleanUpReportModeOnly setting is set to true on the account store. If the setting is true, all the account processing steps are ignored and the account’s AccountOrganizationStatusID is set to 3 (TerminationPending). This logs everything that the workflow would do if Report Only Mode was turned off.

  3. Else if If CleanUpReportModeOnly is turned off and whether , the workflow checks to see if the OU specified by the CleanUpStaleAccountOU has a valid External OrgZone.external OrgZone (where applicable, such as Active Directory account stores). If the CleanUpStaleAccountOU setting on the account store is not valid, the account store is ignored, No user accounts will not be disabled and moved . Else it continues to claim the accounts and process the claimed accountsto a stale out before being disabled and marked for termination.

  4. If the number of accounts in the account store reaches the specified threshold , the SubmitAccTerminationsApproval workflow is invoked.Else if the number of accounts of the account store is under the set on the ThresholdOnAccounts Resource System Config Setting value, SubmitAccountTerminations workflow moves the SubmitAccTerminationsApproval workflow is invoked; othewise, the accounts are moved to the OU specified by the CleanUpStaleAccountOU setting on the account store (where applicable).

  5. If the DisabledAccountOnMove setting on the Workflow parameters is set to true, the accounts are disabled when moved; else the accounts are not disabled and moved.

  6. When If an account is moved, the AccountOrganizationStatusID is set to 5 (Transfer) and the TransferDate is set to current date and time on the account.

  7. Emails are sent to manager and admin after the account is moved. EmailTemplateManagerMoveNotification and EmailTemplateAdminMoveNotification are used as templates to send emails. The AdminManagementRoleGuids workflow parameter determines which admin users should receive the email notification.

  8. Once the emails are sent, an AssigneeNotification is inserted for that account and so that it will not be claimed again to send notifications before moving accounts.

  9. The accounts claimed earlier for termination will be processed by invoking the Terminate Account Advanced workflow for each account that is to be terminated.

Submit Acc Terminations Approval workflow

...