Disable accounts after 1 year of inactivity

0 Likes
5 months ago

NOTE: The original article was posted by and the included images were lost in following years. This posting has been updated by to replace missing images and provide the XML examples. These images and code examples hold true to mbluteau's original though with some personal differences.

We basically want to take advantage of 2 attributes, Login Time (which contains the last login time for the user) and Login Expiration Time, which prevent a user from login in once reached.

We want to monitor Login Time, and every time it changes, update Login Expiration Time by setting it to Login Time 1 year (or 31,536,000 seconds).

Filter.jpg

Figure 1: We need to open up the filter for the Null/Loopback driver for Login Time.

<filter> <filter-class class-name="User" publisher="ignore" publisher-create-homedir="true" publisher-track-template-member="true" subscriber="sync"> <filter-attr attr-name="Login Time" merge-authority="default" publisher="ignore" publisher-optimize-modify="true" subscriber="sync"/> </filter-class> </filter>

Figure 2: Filter details for Login Time.

sub-etp-Disable Login After 1yr Inactive.jpg

Figure 3: Simple rule to update Login Expiration time, using a GCV and XPath.

<policy> <rule> <description>Set Account to Disable 1yr After Last Login</description> <comment xml:space="preserve">Set the Login Expiration time to be one year after the current login time. Uses a GCV value representing 1 year in seconds.</comment> <conditions> <and> <if-class-name mode="nocase" op="equal">User</if-class-name> <if-op-attr name="Login Time" op="available"/> </and> </conditions> <actions> <do-set-local-variable name="lv-loginTime" scope="policy"> <arg-string> <token-op-attr name="Login Time"/> </arg-string> </do-set-local-variable> <do-set-src-attr-value class-name="User" name="Login Expiration Time"> <arg-value type="string"> <token-xpath expression="$lv-loginTime ~gv-1yrSeconds~"/> </arg-value> </do-set-src-attr-value> </actions> </rule> </policy>

Figure 4: Rule details to update Login Expiration time, using a GCV and XPATH.

GCV 1yr Seconds.jpg

Figure 5: GCV set to 1 year(in seconds).

<configuration-values> <definitions> <definition display-name="Second in 1 year" name="gv-1yrSeconds" type="string"> <description>GCV value to store number of seconds in one year.</description> <value>31536000</value> </definition> </definitions> </configuration-values>

Figure 6: Details for GCV.

Beware that you may want to restrict the Rule scope to non-admin users.

Labels:

How To-Best Practice
Comment List
Anonymous
Parents
  • Just to expand on the original posting with the available option using the Convert Time token and the time offset calculations. The original rule above can be implemented without using a GCV as shown below. Using this example, with the 1 year hard coded in the Rule, the GCV used previously is not required.

    (revised) sub-etp-Disable Login After 1yr Inactive.jpg

    Figure 1: Policy Rule using the Convert Time token, instead of XPath calculations, to set the Login Expiration Time to 1 year after the Login Time

    <policy> <rule> <description>Set Account to Disable 1yr After Last Login</description> <comment xml:space="preserve">Set the Login Expiration time to be one year after the current login time. Uses the Convert Time token with a 1 year offset.</comment> <conditions> <and> <if-class-name mode="nocase" op="equal">User</if-class-name> <if-op-attr name="Login Time" op="available"/> </and> </conditions> <actions> <do-set-src-attr-value class-name="User" name="Login Expiration Time"> <arg-value type="string"> <token-convert-time dest-format="!CTIME" dest-tz="UTC" offset="1" offset-unit="year" src-format="!CTIME" src-tz="UTC"> <token-op-attr name="Login Time"/> </token-convert-time> </arg-value> </do-set-src-attr-value> </actions> </rule> </policy>

    Figure 2: Policy Rule using Time Token XML details

    To maintain flexibility of code, GCVs could (should?) be incorporated for the "offset" and "offset-unit" values by manually editing the XML code with something like:

    (highlight) sub-etp-Disable Login After 1yr Inactive.jpg

    Figure 3: Revised Policy Rule with GCVs for offset and offset-unit values highlighted.

    <policy> <rule> <description>Set Account to Disable 1yr After Last Login</description> <comment xml:space="preserve">Set the Login Expiration time to be one year after the current login time. Uses the Convert Time token with a 1 year offset.</comment> <conditions> <and> <if-class-name mode="nocase" op="equal">User</if-class-name> <if-op-attr name="Login Time" op="available"/> </and> </conditions> <actions> <do-set-src-attr-value class-name="User" name="Login Expiration Time"> <arg-value type="string"> <token-convert-time dest-format="!CTIME" dest-tz="UTC" offset="~gv-offsetAmount~" offset-unit="~gv-offsetUnit~" src-format="!CTIME" src-tz="UTC"> <token-op-attr name="Login Time"/> </token-convert-time> </arg-value> </do-set-src-attr-value> </actions> </rule> </policy>

    Figure 4: Revised Policy Rule XML details using GCVs for offset and offset-unit values.

    The second option above will require that the GCVs for "gv-offsetAmount" and "gv-offsetUnit" be defined for this Rule to work.

    Hopefully the combination of the original posting and the options noted above provides ideas on how similar actions can be incorporated in your solutions.

    Cheers,

    D

Comment
  • Just to expand on the original posting with the available option using the Convert Time token and the time offset calculations. The original rule above can be implemented without using a GCV as shown below. Using this example, with the 1 year hard coded in the Rule, the GCV used previously is not required.

    (revised) sub-etp-Disable Login After 1yr Inactive.jpg

    Figure 1: Policy Rule using the Convert Time token, instead of XPath calculations, to set the Login Expiration Time to 1 year after the Login Time

    <policy> <rule> <description>Set Account to Disable 1yr After Last Login</description> <comment xml:space="preserve">Set the Login Expiration time to be one year after the current login time. Uses the Convert Time token with a 1 year offset.</comment> <conditions> <and> <if-class-name mode="nocase" op="equal">User</if-class-name> <if-op-attr name="Login Time" op="available"/> </and> </conditions> <actions> <do-set-src-attr-value class-name="User" name="Login Expiration Time"> <arg-value type="string"> <token-convert-time dest-format="!CTIME" dest-tz="UTC" offset="1" offset-unit="year" src-format="!CTIME" src-tz="UTC"> <token-op-attr name="Login Time"/> </token-convert-time> </arg-value> </do-set-src-attr-value> </actions> </rule> </policy>

    Figure 2: Policy Rule using Time Token XML details

    To maintain flexibility of code, GCVs could (should?) be incorporated for the "offset" and "offset-unit" values by manually editing the XML code with something like:

    (highlight) sub-etp-Disable Login After 1yr Inactive.jpg

    Figure 3: Revised Policy Rule with GCVs for offset and offset-unit values highlighted.

    <policy> <rule> <description>Set Account to Disable 1yr After Last Login</description> <comment xml:space="preserve">Set the Login Expiration time to be one year after the current login time. Uses the Convert Time token with a 1 year offset.</comment> <conditions> <and> <if-class-name mode="nocase" op="equal">User</if-class-name> <if-op-attr name="Login Time" op="available"/> </and> </conditions> <actions> <do-set-src-attr-value class-name="User" name="Login Expiration Time"> <arg-value type="string"> <token-convert-time dest-format="!CTIME" dest-tz="UTC" offset="~gv-offsetAmount~" offset-unit="~gv-offsetUnit~" src-format="!CTIME" src-tz="UTC"> <token-op-attr name="Login Time"/> </token-convert-time> </arg-value> </do-set-src-attr-value> </actions> </rule> </policy>

    Figure 4: Revised Policy Rule XML details using GCVs for offset and offset-unit values.

    The second option above will require that the GCVs for "gv-offsetAmount" and "gv-offsetUnit" be defined for this Rule to work.

    Hopefully the combination of the original posting and the options noted above provides ideas on how similar actions can be incorporated in your solutions.

    Cheers,

    D

Children
No Data
Related Discussions
Recommended