Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.

Community

Users:269K Posts:2.2M Kudos:0

Latest Blogs

Blog articles of interest across this community

Universe 2021 Review—Mainframe Access and Security

Protecting and connecting the modern mainframe was a key topic at the recent Micro Focus Universe–Que Mangus, Product Marketing Manager, summarizes th...
0
0
87

Account Management is a Winner for CyberRes at Micro Focus in FY21’RQ2

I am Dr. James D. Borderick, and I look after the Competitive Benchmark program for Micro Focus, which I have been doing for over five years. I wished...
in Security Blog 10 hours ago
0
0
275

The Community Is Moving Next Week! Here is Some Useful Getting Started Information.

Our Community is officially moving on April 21st, 2021. To give everyone a head start on what to look forward to, we are publishing our "Getting Start...
in Community News yesterday
4
0
215

Icon
News & Events

by COEST  in Security on 2021-04-12

 in Security updated on 2021-04-12

Views:38 Replies:0 Kudos:0

by COEST  in Security on 2021-04-08

 in Security updated on 2021-04-08

Views:74 Replies:0 Kudos:0
Icon
Tips
Disable accounts after 1 year of inactivity

Just to expand on the original posting with the available option using the Convert Time token and the time offset calculations. The original rule above can be implemented without using a GCV as shown below. Using this example, with the 1 year hard coded in the Rule, the GCV used previously is not required.

(revised) sub-etp-Disable Login After 1yr Inactive.jpg

Figure 1: Policy Rule using the Convert Time token, instead of XPath calculations, to set the Login Expiration Time to 1 year after the Login Time

<policy>
	<rule>
		<description>Set Account to Disable 1yr After Last Login</description>
		<comment xml:space="preserve">Set the Login Expiration time to be one year after the current login time.
Uses the Convert Time token with a 1 year offset.</comment>
		<conditions>
			<and>
				<if-class-name mode="nocase" op="equal">User</if-class-name>
				<if-op-attr name="Login Time" op="available"/>
			</and>
		</conditions>
		<actions>
			<do-set-src-attr-value class-name="User" name="Login Expiration Time">
				<arg-value type="string">
					<token-convert-time dest-format="!CTIME" dest-tz="UTC" offset="1" offset-unit="year" src-format="!CTIME" src-tz="UTC">
						<token-op-attr name="Login Time"/>
					</token-convert-time>
				</arg-value>
			</do-set-src-attr-value>
		</actions>
	</rule>
</policy>

Figure 2: Policy Rule using Time Token XML details

To maintain flexibility of code, GCVs could (should?) be incorporated for the "offset" and "offset-unit" values by manually editing the XML code with something like:

(highlight) sub-etp-Disable Login After 1yr Inactive.jpg

Figure 3: Revised Policy Rule with GCVs for offset and offset-unit values highlighted.

<policy>
	<rule>
		<description>Set Account to Disable 1yr After Last Login</description>
		<comment xml:space="preserve">Set the Login Expiration time to be one year after the current login time.
Uses the Convert Time token with a 1 year offset.</comment>
		<conditions>
			<and>
				<if-class-name mode="nocase" op="equal">User</if-class-name>
				<if-op-attr name="Login Time" op="available"/>
			</and>
		</conditions>
		<actions>
			<do-set-src-attr-value class-name="User" name="Login Expiration Time">
				<arg-value type="string">
					<token-convert-time dest-format="!CTIME" dest-tz="UTC" offset="~gv-offsetAmount~" offset-unit="~gv-offsetUnit~" src-format="!CTIME" src-tz="UTC">
						<token-op-attr name="Login Time"/>
					</token-convert-time>
				</arg-value>
			</do-set-src-attr-value>
		</actions>
	</rule>
</policy>

Figure 4: Revised Policy Rule XML details using GCVs for offset and offset-unit values.

The second option above will require that the GCVs for "gv-offsetAmount" and "gv-offsetUnit" be defined for this Rule to work.

Hopefully the combination of the original posting and the options noted above provides ideas on how similar actions can be incorporated in your solutions.

Cheers,

D

by mbluteau  in NetIQ Identity Manager on 2021-04-12

 in NetIQ Identity Manager updated on 2021-04-12

Views:4926 Replies:5 Kudos:0

Knowledge Partner

Icon
Discussions
by RaveNet  in GroupWise

by RaveNet  in GroupWise on 2021-04-13

 in GroupWise updated on 2021-04-13

Views:21 Replies:0 Kudos:0
by Rimser  in GroupWise

by Rimser  in GroupWise on 2021-04-13

 in GroupWise updated on 2021-04-13

Views:26 Replies:0 Kudos:0
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.