...
The process involves a number of account store and resource system settings, EmpowerID system settings, workflows, Sets and SetGroups. Each of these settings can be enabled and configured to run based on your own particular security needs. Sets and SetGroups are configured out of the box but can be customized as needed. These settings, workflows, Sets and SetGroups and their function within the cleanup process include the following.
Expand | ||
---|---|---|
| ||
The below image shows the Directory Cleanup Settings on an example account store. |
Expand | ||
---|---|---|
| ||
These settings are used by the Submit Account Terminations workflow. ▪ ApprovalApproverManagementRoleGUID — This setting specifies the GUID of the Management Role containing people who should receive notification that they need to approve the deletion of the stale accounts selected for termination. ▪ SubmitAccountTerminationsApprovalInitiatorPersonID — This setting specifies the PersonID of the EmpowerID Person used to approve account terminations. As a best practice, the Person account you use should not belong to an actual EmpowerID user. ▪ TaskApprovalPendingStatus — This setting is a Boolean that specifies whether a task for the account store is pending approval. The value is set by the Submit Account Terminations workflow when a task has been submitted for approval. This prevents the task from being created more than one time. ▪ TerminationAccountAdvancedInitiatorPersonID — This setting specifies the PersonID of the EmpowerID Person used to initiate the TerminateAccountAdvanced workflow. This workflow is used by the EmpowerID system to terminate all people submitted to it. As a best practice, the Person account you use should not belongshould not belong to an actual EmpowerID user.
▪ TerminationNotProcessedSetGroupGUID — This setting specifies the GUID of the SetGroup containing all user accounts to be moved and disabled. ▪ TerminationBeforeProcessingSetGroupGUID — This setting specifies the GUID of the SetGroup containing all people needing to receive notification of a pending move and disabling of a user account. ▪ TerminationProcessedSetGroupGUID — This setting specifies the GUID of the SetGroup containing all user accounts to be terminated. Claims the accounts of one account store at at time belonging to the respective SetGroup. ▪ ThresholdOnAccounts — This setting specifies the maximum number of user accounts that can be processed at a given time. The below image shows the Configuration Parameters for the resource system associated with an example account store. |
Expand | ||
---|---|---|
| ||
|
Expand | ||
---|---|---|
| ||
|
...
This workflow claims all accounts approved for termination, moves and terminates each one, setting the AccountOrganizationStatusID = 2 (Terminated).
Once an account is terminated, the workflow checks whether the NotifyManager and the NotifyAdminManagementRole parameters are set to true.
If NotifyManager and NotifyAdminManagementRole are set to true, the workflow checks the EmailTemplateManagerDeletionNotification and the EmailTemplateAdminDeletionNotification parameters for the email template that is to be used to send emails to the managers of each terminated user, as well as all admin users belonging to the Management Role specified by the AdminManagementRoleGuids parameter.
...
Next Steps
Configure automated directory cleanup