Highlighted
Respected Contributor.
Respected Contributor.
679 views

Policy to disable a user after 15 days of inactivity

Jump to solution

Hi ,

Tried to create a policy in Null Driver that if an user not access his account for last 15 days , then system will disable that account.

  • Open Login Time Filter in Null Driver.
  • Mention Time in second in GCV
  • Created rule  rule to update Login Expiration time, using a GCV and XPATH.

But the XPath expression i think not working. Can anyone please help ?

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Super Contributor.
Super Contributor.

What is the xpath expression yu are using ?

Can you provide the trace as well..

View solution in original post

0 Likes
6 Replies
Highlighted
Super Contributor.
Super Contributor.

What is the xpath expression yu are using ?

Can you provide the trace as well..

View solution in original post

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Hi,

Thanks for reply. I'm very much new to write policies. I've searched and found this link, according to this I've configured that policy. May I've to modify anything ?

https://community.microfocus.com/t5/Identity-Manager-Tips/Disable-accounts-after-1-year-of-inactivity/ta-p/1773639

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner
First of all I doubt you get an add-attribut.

We need a trace of the event but i guess you have a job and then read source or something like that.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

I can recommend using Trigger-job in this case.

1. Run trigger job every night.

2. The driver will recognize this trigger and run query, to get a list of users. I use for this purpose Lothar's LDAP ECMA function (a good example of use in password notification driver). Function return nodeset of object DNs.

3. Policy initiate "disable" (or any other)  activities for every object in this nodeset. (for-each)

Highlighted
Knowledge Partner
Knowledge Partner

There is a key reason to use the LDAP approach.  Last Login is a Time sytnatx attribute and while the IDM Engine query cannot do a less than or greater than date search, LDAP can.

 

This is how the PWNotify works. It can query between last run and now, for all objects whose Password Expiration time is in that window.  (Less than NOW greater than LastRun).

I did an extension to the PWNotofy that reports/emails when Account Expiration is starting to come due.

You could modify that triivially as an example to look at Last Login time.

 

Check out my package Repo for this package:

 CIS-PWNOTIFY_0.0.3.20150310112716.jar

It is an add on to the PWNotfify driver.  You can copy and change the few bits you need changed.

 

Repo is:

https://idmfolder.ciscony.com/repo/cis-idm-repo/

Highlighted
Knowledge Partner
Knowledge Partner

If you do figure it out, and are willing, please update the package and share it back to me. (You can use Stefaan's package unlocker if you wanted to do that).

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.