Versions Compared

Old Version 4

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 5

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

If the account store does not have OUs, accounts identified for cleanup are not moved to a designated OU before being disabled and ultimately deleted. All other processes remain the same.

Process Flow

The process for automating the deactivating and retiring of stale user accounts is depicted in the below image. An explanation of the process follows the image.

...

The steps involved in the above process flow for the three workflows used in the cleanup process is as follows:

Submit Account Terminations workflow

  1. This workflow claims account stores where CleanUpEnabled is set to true and gets the following SetGroup GUIDS from Resource System Config Settings in order to process those groups:

    • AccountTerminationBeforeProcessingSetGroupGUID — This setting specifies the GUID of the SetGroup containing all people needing to receive notification of a pending move and disabling of a user account.

    • AccountTerminationNotProcessedSetGroupGUID — This setting specifies the GUID of the SetGroup containing all user accounts to be be moved and disabled.

    • AccountTerminationProcessedSetGroupGUID — This setting specifies the GUID of the SetGroup containing all user accounts to be terminated. The workflow processes one account store at a time.

  2. The workflow then checks to see if the CleanUpReportModeOnly setting is set to true on the account store. If the setting is true, all the account processing steps are ignored and the account’s AccountOrganizationStatusID is set to 3 (TerminationPending). This logs everything that the workflow would do if Report Only Mode was turned off.

  3. If CleanUpReportModeOnly is turned off, the workflow checks to see if the OU specified by the CleanUpStaleAccountOU has a valid external OrgZone (where applicable, such as Active Directory account stores). If the CleanUpStaleAccountOU setting on the account store is not valid, user accounts will not be moved to a stale out before being disabled and marked for termination.

  4. If the number of accounts in the account store reaches the specified threshold set on the ThresholdOnAccounts Resource System Config Setting value, the SubmitAccTerminationsApproval workflow is invoked; otherwise, the accounts are moved to the OU specified by the CleanUpStaleAccountOU setting on the account store (where applicable).

  5. If the DisabledAccountOnMove setting on the Workflow parameters is set to true, the accounts are disabled when moved.

  6. If an account is moved, the AccountOrganizationStatusID is set to 5 (Transfer) and the TransferDate is set to current date and time on the account.

  7. Emails are sent to manager and admin after the account is moved. EmailTemplateManagerMoveNotification and EmailTemplateAdminMoveNotification are used as templates to send emails. The AdminManagementRoleGuids workflow parameter determines which admin users should receive the email notification.

  8. Once the emails are sent, an AssigneeNotification is inserted for that account so that it will not be claimed again to send notifications before moving accounts.

  9. The accounts claimed earlier for termination will be processed by invoking the Terminate Account Advanced workflow.

Submit Acc Terminations Approval workflow

  1. This workflow creates an approval task for all accounts belonging to the Management Role specified by the ApprovalApproverManagementRoleGUID parameter of the Submit Account Terminations workflow. At least one user belonging to the Management Role needs to select and approve each account to be terminated.

  2. Once a task is created for an account store, the TaskApprovalPendingStatus Resource System Config Setting is set to true. This prevents the system from recreating the task.

  3. If the task is approved, all accounts selected from the Task Approval Form of the workflow are disabled and moved, and the TaskApprovalPendingStatus setting is set to false.

Terminate Account Advanced workflow

  1. This workflow claims all accounts approved for termination, moves and terminates each one, setting the AccountOrganizationStatusID = 2 (Terminated).

  2. Once an account is terminated, the workflow checks whether the NotifyManager and the NotifyAdminManagementRole parameters are set to true.

  3. If NotifyManager and NotifyAdminManagementRole are set to true, the workflow checks the EmailTemplateManagerDeletionNotification and the EmailTemplateAdminDeletionNotification parameters for the email template that is to be used to send emails to the managers of each terminated user, as well as all admin users belonging to the Management Role specified by the AdminManagementRoleGuids parameter.

...

Next Steps

Configure automated directory cleanup

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue