As an administrator, you can leverage EmpowerID to automate the process of deactivating and retiring stale Active Directory user accounts based on your organization’s security policies. Rather than relying on time-consuming and potentially risky manual methods or scripts to mark accounts as inactive, disabling and deleting them based on policy, you can configure a few simple settings in EmpowerID. Not only does this remove the burden and risks associated with other methods, it provides a safety net to mitigate against accidental deletion of any user account by first marking the accounts for deactivation and notifying the managers of those users, as well as other administrators, that the accounts have been identified for cleanup. The managers and administrators must give approval before EmpowerID does anything further with them. If approved, EmpowerID moves those accounts into a designated OU within your directory (for account stores with OUs, like Active Directory), where they remain until their deletion undergoes a multi-step approval process. Accounts not approved for deletion are moved back to their originating OU. Additionally, EmpowerID provides “mock run” capabilities that allow you to generate reports of what would occur in your environment using this feature.
The process involves a number of account store and resource system settings, EmpowerID system settings and permanent workflows, workflows, Sets and SetGroups. Each of these settings can be enabled and configured to run based on your own particular security needs. These settings and permanent workflows, and their function within the cleanup process include the followingSets and SetGroups are configured out of the box but can be customized as needed.
Expand | ||
---|---|---|
| ||
The below image shows the Directory Cleanup Settings on an example account store. |
Expand | ||
---|---|---|
| ||
▪ ApprovalApproverManagementRoleGUID —– This setting specifies the GUID of the Management Role containing people who should receive notification that they need to approve the deletion of the stale accounts selected for termination. ▪ SubmitAccountTerminationsApprovalInitiatorPersonID —– This setting specifies the PersonID of the EmpowerID Person used to approve account terminations. As a best practice, the Person account you use should not belong to an actual EmpowerID user. ▪ TaskApprovalPendingStatus —– This setting is a Boolean that specifies whether a task for the account store is pending approval. The value is set by the Submit Account Terminations workflow when a task has been submitted for approval. This prevents the task from being created more than one time. ▪ TerminationAccountAdvancedInitiatorPersonID —– This setting specifies the PersonID of the EmpowerID Person used to initiate the TerminateAccountAdvanced workflow. This workflow is used by the EmpowerID system to terminate all people submitted to it. As a best practice, the Person account you use should not belongshould not belong to an actual EmpowerID user.
▪ TerminationNotProcessedSetGroupGUID —– This setting specifies the GUID of the SetGroup containing all user accounts to be bemoved and disabled. ▪ TerminationBeforeProcessingSetGroupGUID —– This setting specifies the GUID of the SetGroup containing all people needing to receive notification of a pending move and disabling of a user account. ▪ TerminationProcessedSetGroupGUID —– This setting specifies the GUID of the SetGroup containing all user accounts to be terminated. Claims the accounts of one account store at at time belonging to the respective SetGroup. ▪ ThresholdOnAccounts —– This setting specifies the maximum number of user accounts that can be processed at a given time. The below image shows the Configuration Parameters for the resource system associated with an example account store. |
Expand | ||
---|---|---|
| ||
|
Expand | ||
---|---|---|
| ||
|
Info |
---|
If the account store does not have OUs, accounts identified for cleanup are not moved to a designated OU before being disabled and ultimately deleted. All other processes remain the same. |
Process Flow
...
SubmitAccountTerminations workflow
...
The process for automating the deactivating and retiring of stale user accounts is depicted in the below image. An explanation of the process follows the image.
...
The steps involved in the above process flow for the three workflows used in the cleanup process is as follows:
Submit Account Terminations workflow
This workflow claims account stores where CleanUpEnabled is set to true and gets the following SetGroup GUIDS from Resource System Config Settings in order to process those groups:
TerminationNotProcessedSetGroupGUID — To Move and Disable
TerminationBeforeProcessingSetGroupGUID — To notify before Move and Disable
TerminationProcessedSetGroupGUID — To Terminate. Processes AccountTerminationBeforeProcessingSetGroupGUID – This setting specifies the GUID of the SetGroup containing all people needing to receive notification of a pending move and disabling of a user account.
AccountTerminationNotProcessedSetGroupGUID – This setting specifies the GUID of the SetGroup containing all user accounts to be moved and disabled.
AccountTerminationProcessedSetGroupGUID – This setting specifies the GUID of the SetGroup containing all user accounts to be terminated. The workflow processes one account store at a time, claiming all accounts in an account store that is in the SetGroup
The workflow checks if CleanUpReportModeOnly is turned off and whether CleanUpStaleAccountOU has a valid External OrgZone.
.
The workflow then checks to see if the CleanUpReportModeOnly setting is set to true on the account store. If the setting is true, all the account processing steps are ignored and the account’s AccountOrganizationStatusID is set to 3 (TerminationPending). This logs everything that the workflow would do if Report Only Mode was turned off.
If CleanUpReportModeOnly is turned off, the workflow checks to see if the OU specified by the CleanUpStaleAccountOU has a valid external OrgZone (where applicable, such as Active Directory account stores). If the CleanUpStaleAccountOU setting on the account store is not valid, the account store is ignored. No user accounts will not be moved to a stale out before being disabled and movedmarked for termination.
If the number of accounts of in the account store is under reaches the specified threshold set on the ThresholdOnAccounts Resource System Config Setting value, EmpowerID moves the SubmitAccTerminationsApproval workflow is invoked; otherwise, the accounts are moved to the OU specified by the CleanUpStaleAccountOU setting on the account store (where applicable).
If the DisabledAccountOnMove setting on the Workflow parameters is set to true, the accounts are disabled when moved.
When If an account is moved, the AccountOrganizationStatusID is set to 5 (Transfer) and the TransferDate is set to the current date and time on the account.
If the DisabledAccountOnMove setting on the Workflow parameters is set to true, the accounts are disabled when moved.
Emails are sent to the manager and admin after the account is moved. EmailTemplateManagerMoveNotification and EmailTemplateAdminMoveNotification are used as templates to send emails. The AdminManagementRoleGuids workflow parameter determines which admin users should receive the email notification.When number of accounts in the account store
reaches the specified threshold, the workflow creates a task for all people Once the emails are sent, an AssigneeNotification is inserted for that account so that it will not be claimed again to send notifications before moving accounts.
The accounts claimed earlier for termination will be processed by invoking the Terminate Account Advanced workflow.
Submit Acc Terminations Approval workflow
This workflow creates an approval task for all accounts belonging to the Management Role specified by ApprovalApproverManagementRoleGUID setting the ApprovalApproverManagementRoleGUID parameter of the Submit Account Terminations workflow. At least one user belonging to the Management Role needs to select and approve each account to be terminated. This is done by Invoking SubmitAccTerminationsApproval workflow.
Once a task is created for a AccountStore, “TaskApprovalPendingStatus” ResourceSystemConfigSetting an account store, the TaskApprovalPendingStatus Resource System Config Setting is set to true. This prevents the system from creating recreating the task again and again.
If the task is approved, all the accounts selected from the Task Approval Form of the workflow are disabled and moved, moved and “TaskApprovalPendingStatus” the TaskApprovalPendingStatus setting is set to false.
Accounts that needs to be notified before moving will be processed one by one to send email notifications to Admin and Manager. “EmailTemplateManagerPreMoveNotification”, “EmailTemplateAdminPreMoveNotification” are used as templates to send emails.
Once the emails are sent, an AssigneeNotification is inserted for that Account and will not be claimed again to send notifications before moving accounts.
The Accounts that we claimed earlier to
Terminate
...
If CleanUpReportModeOnly is set to true, all the above steps are ignored and the account’s AccountOrganizationStatusID is set to 3 (TerminationPending). This logs everything that the workflow would do if Report Only Mode was turned off.
...
Account Advanced workflow
This workflow claims the account, terminates it and sets all accounts approved for termination, moves, and terminates each one, setting the AccountOrganizationStatusID = 2 (Terminated).
Once the an account is terminated, it the workflow checks whether the NotifyManager and NotifyAdminManagementRole settings in order to send emails to all specified admins and managers.
The workflow gets the template from the EmailTemplateManagerDeletionNotification setting in order to send emails to managers.
The workflow gets the template from the EmailTemplateAdminDeletionNotification to send emails to admin users.
The workflow send emails to each person in the SetGroup specified by the AdminManagementRoleGuids setting.the NotifyAdminManagementRole parameters are set to true.
If NotifyManager and NotifyAdminManagementRole are set to true, the workflow checks the EmailTemplateManagerDeletionNotification and the EmailTemplateAdminDeletionNotification parameters for the email template that is to be used to send emails to the managers of each terminated user, as well as all admin users belonging to the Management Role specified by the AdminManagementRoleGuids parameter.
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|
...
Next Steps
Configure automated directory cleanup
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|