Disable accounts after 1 year of inactivity

0 Likes
5 months ago

NOTE: The original article was posted by and the included images were lost in following years. This posting has been updated by to replace missing images and provide the XML examples. These images and code examples hold true to mbluteau's original though with some personal differences.

We basically want to take advantage of 2 attributes, Login Time (which contains the last login time for the user) and Login Expiration Time, which prevent a user from login in once reached.

We want to monitor Login Time, and every time it changes, update Login Expiration Time by setting it to Login Time 1 year (or 31,536,000 seconds).

Filter.jpg

Figure 1: We need to open up the filter for the Null/Loopback driver for Login Time.

<filter> <filter-class class-name="User" publisher="ignore" publisher-create-homedir="true" publisher-track-template-member="true" subscriber="sync"> <filter-attr attr-name="Login Time" merge-authority="default" publisher="ignore" publisher-optimize-modify="true" subscriber="sync"/> </filter-class> </filter>

Figure 2: Filter details for Login Time.

sub-etp-Disable Login After 1yr Inactive.jpg

Figure 3: Simple rule to update Login Expiration time, using a GCV and XPath.

<policy> <rule> <description>Set Account to Disable 1yr After Last Login</description> <comment xml:space="preserve">Set the Login Expiration time to be one year after the current login time. Uses a GCV value representing 1 year in seconds.</comment> <conditions> <and> <if-class-name mode="nocase" op="equal">User</if-class-name> <if-op-attr name="Login Time" op="available"/> </and> </conditions> <actions> <do-set-local-variable name="lv-loginTime" scope="policy"> <arg-string> <token-op-attr name="Login Time"/> </arg-string> </do-set-local-variable> <do-set-src-attr-value class-name="User" name="Login Expiration Time"> <arg-value type="string"> <token-xpath expression="$lv-loginTime ~gv-1yrSeconds~"/> </arg-value> </do-set-src-attr-value> </actions> </rule> </policy>

Figure 4: Rule details to update Login Expiration time, using a GCV and XPATH.

GCV 1yr Seconds.jpg

Figure 5: GCV set to 1 year(in seconds).

<configuration-values> <definitions> <definition display-name="Second in 1 year" name="gv-1yrSeconds" type="string"> <description>GCV value to store number of seconds in one year.</description> <value>31536000</value> </definition> </definitions> </configuration-values>

Figure 6: Details for GCV.

Beware that you may want to restrict the Rule scope to non-admin users.

Labels:

How To-Best Practice
Comment List
Anonymous
Parents
  • The newer versions of IDM has an "offset" functionality in the time convert function that will eliminate the requirement to calculate seconds, etc.

    Where the offset value is defined, just time the GCV name, starting and ending with a "~", ~gcvname~. Remember to select the unit, minute, month, year, etc.

Comment
  • The newer versions of IDM has an "offset" functionality in the time convert function that will eliminate the requirement to calculate seconds, etc.

    Where the offset value is defined, just time the GCV name, starting and ending with a "~", ~gcvname~. Remember to select the unit, minute, month, year, etc.

Children
No Data
Related Discussions
Recommended