Define an active and inactive users from IDM

Hi All,

My questions:

An user account or an object having inetorgperson class is active (logindisabled does not exist or false) and having dirxml-associations attribute value, but there is no login time. 

Will this be counted for Active user licensing.


There is an user account which is disabled, having dirxml-associations attribute but never logged in.

Will this be counted for Inactive user licensing.


I read this community forum thread. 


its mentioned that : 

If an object never authenticates then it is never considered. Once it has authenticated it is a license. If it hasn't authenticated in 120 days then it is an inactive license.

According to above, if an user object that has an association but never logged in should not considered.

Is that right?

Please let me know your thoughts.




  • Hi.

    As far as I know this check is done not only in IDM, but in all connected systems as well. So for AD, the license team requests exports on all users and looks at the lastLogon attribute and userAccountControl to see if it is active. This also goes to other connected systems such as Google (I had to do that at one time).

    Also the tool that is provided from MF that checks the Identity Vault checks if the user has been created for more than 120 days. So only if you have been created for more than 120 days ago, and are disabled and has not logged in for 120 days, you are an inactive user. In all connected systems.

    Best regards


  • There are different definitions depending on your licensing model for IDM. I strongly suggest you contact your sales rep if you aren’t sure as to which model (or combination of license models) you have.

    We can’t give a one size fits all answer sadly.