...
The process involves a number of account store and resource system settings, EmpowerID system settings and permanent workflows. Each of these can be enabled and configured to run based on your own particular security needs. These settings and permanent workflows, and their function within the cleanup process include the following.
| Expand |
|---|
| title | Account Store Settings |
|---|
|
Directory Clean Up Enabled — This setting specifies whether the Submit Account Terminations permanent workflow should claim the account store for processing account terminations. When enabled, accounts in the account store that meet the qualifications are moved into a special OU within the external directory and disabled. Report Only Mode (No Changes) — When enabled, EmpowerID generates a report of what the Directory Clean Up process would do if it was fully implemented. The process itself is ignored and all accounts are set to Termination Pending. OU to Move Stale Accounts — Specifies This setting specifies the external directory in which to move accounts marked for termination. The OU must exist in Active Directory.
|
| Expand |
|---|
| title | Resource System Settings |
|---|
|
ApprovalApproverManagementRoleGUID — This setting specifies the GUID of the Management Role containing people who should receive notification that they need to approve the accounts selected for termination. SubmitAccountTerminationsApprovalInitiatorPersonID — This setting specifies the PersonID of the EmpowerID Person used to approve account terminations. TaskApprovalPendingStatus — This setting is a Boolean that specifies whether a task for the account store is pending approval. The value is set by the Submit Account Terminations workflow when a task has been submitted for approval. This prevents the task from being created more than one time. TerminationAccountAdvancedInitiatorPersonID — Specifies This setting specifies the PersonID of the EmpowerID Person used to initiate the TerminateAccountAdvanced workflow. This workflow is used by the EmpowerID system to terminate all people submitted to it. As a best practice, the Person account you use should not belong to an actual EmpowerID user. TerminationNotProcessedSetGroupGUID — Specifies This setting specifies the GUID of the SetGroup containing all user accounts to be be moved and disabled. TerminationBeforeProcessingSetGroupGUID — Specifies This setting specifies the GUID of the SetGroup containing all people needing to receive notification of a pending move and disabling of a user account. TerminationProcessedSetGroupGUID — Specifies This setting specifies the GUID of the SetGroup containing all user accounts to be terminated. ThresholdOnAccounts — Specifies This setting specifies the maximum number of user accounts that can be processed at a given time.
|
| Expand |
|---|
|
Submit Account Terminations — This is a permanent workflow that claims user accounts meeting the criteria for cleanup in account stores (managed external user directories) where CleanUpEnabled is set to true. The workflow processes the claimed accounts based on the values given to the following parameters. Terminate Account Advanced — This workflow terminates user accounts from the external directoryAdminManagementRoleGuids — DeleteAccountXDaysAfterMove — This parameter specifies the GUID of the Management Role containing all people delegated to receive DisableAccountOnMove — This parameter takes a Boolean value of true or false. When set to true, the workflow disables the accounts when moved into the specified OU. EmailTemplateAdminPreMoveNotification — This parameter specifies the email to be used when notifying admins that one or move user accounts have been selected to be moved EmailTemplateAdminMoveNotification — This parameter specifies the email template to be used when notifying admin users that one or more user accounts have been moved to the specified OU. EmailTemplateManagerPreMoveNotification — This parameter specifies the email template EmailTemplateManagerMoveNotification — This parameter specifies the email template AdminManagementRoleGuids — EmailTemplateManagerPreMoveNotification — EmailTemplateAdminPreMoveNotification — EmailXDaysBeforeMove — This parameter specifies the email template MoveAccountXDaysDisabled — This parameter specifies the email template MoveAccountXDaysNoLogin — This parameter specifies the email template
Submit Account Termination Approval — This workflow sends notifications to managers and other administrators that certain user accounts within an account store have been marked for deactivation. If deactivation is approved, the workflow disables those accounts and moves them to the designated OU.
|
Process Flow
SubmitAccountTerminations workflow
The workflow claims account stores where CleanUpEnabled is set to true and gets the following SetGroup GUIDS from Resource System Config Settings in order to process those groups:
TerminationNotProcessedSetGroupGUID — To Move and Disable
TerminationBeforeProcessingSetGroupGUID — To notify before Move and Disable
TerminationProcessedSetGroupGUID — To Terminate. Processes one account store at a time, claiming all accounts in an account store that is in the SetGroup
The workflow checks if CleanUpReportModeOnly is turned off and whether CleanUpStaleAccountOU has a valid External OrgZone.
If the CleanUpStaleAccountOU setting on the account store is not valid, the account store is ignored. No accounts will be disabled and moved.
If number of accounts of the account store is under the ThresholdOnAccounts Resource System Config Setting value, EmpowerID moves the accounts to the OU specified by the CleanUpStaleAccountOU setting.
When an account is moved, the AccountOrganizationStatusID is set to 5 (Transfer) and the TransferDate is set to current date and time on the account.
If the DisabledAccountOnMove setting on the Workflow parameters is set to true, the accounts are disabled when moved.
Emails are sent to manager and admin after the account is moved. EmailTemplateManagerMoveNotification and EmailTemplateAdminMoveNotification are used as templates to send emails.
The AdminManagementRoleGuids workflow parameter determines which admin users should receive the email notification.
When number of accounts in the account store reaches the specified threshold, the workflow creates a task for all people belonging to the Management Role specified by ApprovalApproverManagementRoleGUID setting to select and approve each account to be terminated. This is done by Invoking SubmitAccTerminationsApproval workflow.
Once a task is created for a AccountStore, “TaskApprovalPendingStatus” ResourceSystemConfigSetting is set to true. This prevents from creating task again and again.
If the task is approved, all the accounts selected from the Task Approval Form are disabled, moved and “TaskApprovalPendingStatus” setting is set to false.
Accounts that needs to be notified before moving will be processed one by one to send email notifications to Admin and Manager. “EmailTemplateManagerPreMoveNotification”, “EmailTemplateAdminPreMoveNotification” are used as templates to send emails.
Once the emails are sent, an AssigneeNotification is inserted for that Account and will not be claimed again to send notifications before moving accounts.
The Accounts that we claimed earlier to Terminate will be processed by Invoking TerminateAccountAdvanced Workflow for each Account to Terminate.
If CleanUpReportModeOnly is set to true, all the above steps are ignored and the account’s AccountOrganizationStatusID is set to 3 (TerminationPending). This logs everything that the workflow would do if Report Only Mode was turned off.
SubmitAccountTerminations workflow
This workflow claims the account, terminates it and sets the AccountOrganizationStatusID = 2.
Once the account is terminated, it checks the NotifyManager and NotifyAdminManagementRole settings in order to send emails to all specified admins and managers.
The workflow gets the template from the EmailTemplateManagerDeletionNotification setting in order to send emails to managers.
The workflow gets the template from the EmailTemplateAdminDeletionNotification to send emails to admin users.
The workflow send emails to each person in the SetGroup specified by the AdminManagementRoleGuids setting.