Configure automated directory cleanup

Owned by Phillip Hanegan
Feb 29, 2024
10 min read

As an administrator, you can leverage EmpowerID to automate the process of deactivating and retiring stale user accounts based on your organization’s security policies. Rather than relying on time-consuming and potentially risky manual methods or scripts to mark accounts as inactive, disabling and deleting them based on policy, you can simply configure a few settings in EmpowerID. This topic outlines how to automate directory cleanup for any directory EmpowerID manages.

Overview of the steps involved with configuring automated directory cleanup

Step

Details

Step

Details

1 - Create an EmpowerID Person account

This person account will be used by the system to initiate the workflows used by the directory cleanup process

2 - Grant access to directory cleanup workflows

Grant the person account Initiator access to following workflows:

  • SubmitAccTerminationsApproval

  • TerminateAccountAdvanced

2 - Create the approval Management Role

This Management Role contains all people who need to receive notification of pending terminations. People in this role include managers of users with accounts marked for deletion, as well as administrative users with the ability to approve the disabling and termination of stale accounts.

3 - Review and configure the default cleanup Sets

EmpowerID provides default SetGroups configured with Sets (SQL Queries) that specify the criteria for accounts to be classified as “stale.” These include:

  • AccountGetPendingTerminationBeforeProcessing

  • AccountGetPendingTerminationNotProcessed

  • AccountGetPendingTerminationProcessed

4 - Configure workflow parameters

Configure workflow parameters for the following workflows and their parameters:

  • TerminateAccountAdvanced

    • AdminManagementRoleGuids

    • EmailTemplateAdminDeletionNotification

    • EmailTemplateManagerDeletionNotification

    • NotifyAdminManagementRole

    • NotifyManager

  • SubmitAccountTerminations

    • AdminManagementRoleGuids

    • DeleteAccountDaysAfterMove

    • DisableAccountOnMove

    • EmailTemplateAdminMoveNotification

    • EmailTemplateAdminPreMoveNotification

    • EmailTemplateManagerMoveNotification

    • EmailTemplateManagerPreMoveNotification

    • EmailDaysXBeforeMove

    • MoveAccountXDaysDisabled

    • MoveAccountXDaysNoLogin

5 - Configure resource system parameters

Configure directory cleanup parameters for each resource system implementing automated directory cleanup

6 - Configure account store settings

Configure the directory cleanup settings for each account store implementing automated directory cleanup



Step 1 - Create a Person account

  1. On the navbar, expand Identity Administration and click People.

  2. Click the Create Person Simple Mode action. 

     

    This opens the Create Person Request form.

     

  3. Fill in the fields of the form with the following information:

    • First Name and Last Name — Enter the first and last name of the Person you are creating. It is recommended that you choose a name that identifies the purpose for this person, such as "Terminate AccInitiator" or something similar.

    • eMail — Optional

    • Personal Email — Optional

    • Primary Role and Location — Below Primary Business Role and Location, click the Select a Role and Location link and in the Role and Location Selector that opens do the following:

      • Search for and select the appropriate Business Role for the person.

      • Click the Location tab.

      • Search for and select the EmpowerID Location for the person.

      • Click Select to close the Role and Location Selector.

    • Manager — Optional

    • Comments or Justification — Enter information that describes the purpose of the Person account.

  4. Back in the main form, click Save.
     

     

Step 2 - Grant access to directory cleanup workflows

  1. From the navbar, go to the Workflows page by expanding Object Administration and clicking Workflows.

  2. On the Workflows page, search for SubmitAccTerminationsApproval and then click the Display Name link for the workflow.

     

    This directs you to the Workflow Details view for the workflow.

     

  3. On the Workflow Details view, expand the Who Has Access accordion and do the following:

    1. Select Person from the To which type of actor do you wish to assign access? drop-down.

    2. Click the Add New Assignee button in the grid header.

    3. Search for and select the Person account you created above.

    4. Select Initiator as the Access Level.

    5. Click Save.

      You should see the Person account in the Who Has Access grid.

       

  4. Click the Find Workflows breadcrumb at the top of the page and then search for search for TerminateAccountAdvanced.

  5. Click the Display Name link for the workflow.

     

  6. On the Workflow Details view that appears, expand the Who Has Access accordion and do the following:

    1. Select Person from the To which type of actor do you wish to assign access? drop-down.

    2. Click the Add New Assignee button in the grid header.

    3. Search for and select the Person account you created above.

    4. Select Initiator as the Access Level.

    5. Click Save.

Step 3 - Create the approval Management Role

  1. On the navbar, expand Role Management and click Management Roles.

  2. Click the Create Management Role action link.



  3. In the Management Role Details form that appears, do the following:

    1. Name — Enter a name for the role

    2. Display Name — Enter a display name for the role

    3. Role Type — Select Generic

    4. Parent Definition — Select Blank Management Role Definition

    5. Creation Location — Click the Select a Location link and then search for and select the desired location in which to create the role

    6. Publish in IT Shop — Leave enabled to make the Management Role requestable from the IT Shop; otherwise, disable this option

    7. High Security — Leave this option disabled

    8. Description — Enter a description that describes the purpose of the role

    9. Instructions — Optional

    10. eMail — Optional

       

  4. Click Save.

    After EmpowerID creates the Management Role, you should be directed to the Management Role Details for the role.

     

  5. Click the Advanced tab of the View page and then expand the ADVANCED accordion.

  6. Locate and copy the Management Role GUID. You will need this information when configuring the resource system for directory cleanup.

     

Step 4 - Configure workflow parameters

  1. On the navbar, expand Object Administration and click Workflows.

  2. Search for SubmitAccountTerminations and then click the Display Name link for the workflow.



  3. On the Workflow Details page that appears, expand the Request Workflow Parameters accordion and edit the value of each parameter as needed.

    • AdminManagementRoleGuids — Specifies the GUID of the Admin Management Role you created above. Each member of the role receives notifications when notification settings are enabled on the workflow.

    • DeleteAccountDaysAfterMove — Specifies the number of days after which stale accounts that have been moved to the designated OU (where applicable) are to be deleted.

    • DisableAccountOnMove — Boolean that specifies whether stale accounts should be disabled when moved to the designated OU (where applicable)

    • EmailTemplateAdminMoveNotification — Specifies the email template to be used to send move notifications to each person belonging to the Admin Management Role you created above. Unless you have created a custom template, leave the parameter set to the default value.

    • EmailTemplateAdminPreMoveNotification — Specifies the email template to be used to send pre-move notifications to each person belonging to the Admin Management Role you created above. Unless you have created a custom template, leave the parameter set to the default value.

    • EmailTemplateManagerMoveNotification — Specifies the email template to be used to send move notifications to the managers of each person with an account that has been moved. Unless you have created a custom template, leave the parameter set to the default value.

    • EmailTemplateManagerPreMoveNotification — Specifies the email template to be used to send move pre-notifications to the managers of each person with an account meeting the move criteria. Unless you have created a custom template, leave the parameter set to the default value.

    • EmailDaysXBeforeMove — Specifies how many days before an account is moved that emails should be sent to managers and members of the Admin Management Role.

    • MoveAccountXDaysDisabled — Specifies the number of days a account must be disabled before it can be moved to the designated OU (where applicable).

    • MoveAccountXDaysNoLogin — Specifies the number of days an account must go without being logged in to before it can be moved to the designated OU (where applicable).

  4. Search for TerminateAccountAdvanced and then click the Display Name link for the workflow.

  5. On the Workflow Details view that appears, expand the Request Workflow Parameters accordion.

    You should see the following parameters in the accordion:

     

  6. Edit the value for each parameter as needed:

    • AdminManagementRoleGuids — Specifies the GUID of the Admin Management Role you created above. Each member of the role receives notifications when notification settings are enabled on the workflow.

    • EmailTemplateAdminDeletionNotification — Specifies the email template used to send account deletion notifications to the members of the Admin Management Role. Unless you have created a custom template, leave the parameter set to the default value.

    • EmailTemplateManagerDeletionNotification — Unless you have created a custom template, leave the parameter set to the default value

    • NotifyAdminManagementRole — Set to true to allow members of the Management Role to receive notifications from the system

    • NotifyManager — Set to true to allow the managers of people with stale accounts to receive notifications from the system

  7. Click the Find Workflows breadcrumb at the top of the page and then search for the SubmitAccountTerminations workflow.

  8. Click the Display Name link for the workflow to go to the Workflow Details view.

  9. Expand the Workflow Parameters accordion and edit the value for each of the parameters as needed.

Step 5 - Review and configure cleanup Sets

You can use these SetGroups as is, rewrite the Sets to meet your own criteria or use them as templates for creating additional SetGroups. This is helpful when implementing automated directory cleanup for multiple directories (account stores).

  1. On the navbar, expand Role Management and click Query-Based Collections (SetGroup).

  2. From the Queries (Sets) tab of the Find Sets page, search for AccountGetPendingTerminationBeforeProcessing and then click the Name link for the Set.

     

  3. From the Set Details page, review the Query for the Filter.

     

  4. If the Filter meets your requirements for classifying an account as stale, return to the Find SetGroup page and follow the above steps to review the Set filters for the AccountGetPendingTerminationNotProcessed and the AccountGetPendingTerminationProcessed Sets; otherwise, click the Edit link for the Set as shown in the below image, edit the query as needed and then review the other Sets.

 

Step 5 - Configure resource system settings

  1. On the navbar, expand Admin > Applications and Directories and click Account Stores and Systems.

  2. Select the Resource Systems tab and then search for the resource system of the account store you want to configure for automated directory cleanup.

  3. Click the Display Name link for the target resource system.

     

  4. On the Account Store Details page that appears, click the Resource System tab and then expand the Configuration Parameters accordion.

  5. Click the Edit button for each of the parameters and the appropriate values. Be sure to save your changes.

    • ApprovalApproverManagementRoleGUID — GUID of the approval Management Role you created above

    • SubmitAccountTerminationsApprovalInitiatorPersonID — Person ID of the SubmitAccountTerminationsApproval workflow initiator you created above

    • TaskApprovalPendingStatus — This setting is a Boolean that specifies whether a task for the account store is pending approval. Leave the value set to false as it is set by the Submit Account Terminations workflow when a task has been submitted for approval. This prevents the task from being created more than one time.

    • TerminationAccountAdvancedInitiatorPersonID — Person ID of the

    • TerminationBeforeProcessingSetGroupGUID — GUID of the AccountGetPendingTerminationBeforeProcessing SetGroup

    • TerminationNotProcessedSetGroupGUID — GUID of the AccountGetPendingTerminationNotProcessed SetGroup

    • TerminationProcessedSetGroupGUID — GUID of the AccountGetPendingTerminationProcessed SetGroup

    • ThresholdOnAccounts — This setting is an integer that specifies the maximum number of user accounts from the account store that can be processed for termination at any given time.

Step 6 - Configure account store settings

  1. On the navbar, expand Admin > Applications and Directories and click Account Stores and Systems.

  2. Select the Account Stores tab and then search for the account store you want to configure for automated directory cleanup.

  3. Click the Account Store link for the target account store.


    This opens the Account Store Details screen for the account store. You use this screen to view and configure various settings for the account store.

     

  4. From the Account Store tab, click the Edit link to put the account store in Edit mode. Edit links have the pencil icon.

     

  5. Scroll to the Directory Cleanup Settings section of the form and configure the following settings:

    • Directory Clean Up Enabled — Select this option to enable automated directory cleanup for the account store. The below two settings only appear when in the section when the this setting is enabled. Additionally, if the account store is not an Active Directory or LDAP account store, the OU to Move Stale Accounts setting will not appear as the setting is not relevant for those account store types.

    • Report Only Mode (No Changes) — Select this option if you only want to view a report of what the system would do if the directory cleanup process was fully implemented. When selected, the cleanup process itself is ignored and all accounts are set to Termination Pending.

    • OU to Move Stale Accounts — Click the Select an External Location link and then search for and select the OU the process should move the accounts that meet the criteria for disabling and eventual termination. This setting only appears for Active Directory and LDAP account stores.

       

  6. Save your changes to the account store.