prasenjitmass Respected Contributor.
Respected Contributor.
324 views

Policy to disable a user after 15 days of inactivity

Jump to solution

Hi ,

Tried to create a policy in Null Driver that if an user not access his account for last 15 days , then system will disable that account.

  • Open Login Time Filter in Null Driver.
  • Mention Time in second in GCV
  • Created rule  rule to update Login Expiration time, using a GCV and XPATH.

But the XPath expression i think not working. Can anyone please help ?

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Satz Respected Contributor.
Respected Contributor.

Re: Policy to disable a user after 15 days of inactivity

Jump to solution

What is the xpath expression yu are using ?

Can you provide the trace as well..

0 Likes
6 Replies
Satz Respected Contributor.
Respected Contributor.

Re: Policy to disable a user after 15 days of inactivity

Jump to solution

What is the xpath expression yu are using ?

Can you provide the trace as well..

0 Likes
prasenjitmass Respected Contributor.
Respected Contributor.

Re: Policy to disable a user after 15 days of inactivity

Jump to solution

Hi,

Thanks for reply. I'm very much new to write policies. I've searched and found this link, according to this I've configured that policy. May I've to modify anything ?

https://community.microfocus.com/t5/Identity-Manager-Tips/Disable-accounts-after-1-year-of-inactivity/ta-p/1773639

0 Likes
Knowledge Partner
Knowledge Partner

Re: Policy to disable a user after 15 days of inactivity

Jump to solution
First of all I doubt you get an add-attribut.

We need a trace of the event but i guess you have a job and then read source or something like that.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Policy to disable a user after 15 days of inactivity

Jump to solution

I can recommend using Trigger-job in this case.

1. Run trigger job every night.

2. The driver will recognize this trigger and run query, to get a list of users. I use for this purpose Lothar's LDAP ECMA function (a good example of use in password notification driver). Function return nodeset of object DNs.

3. Policy initiate "disable" (or any other)  activities for every object in this nodeset. (for-each)

Highlighted
Knowledge Partner
Knowledge Partner

Re: Policy to disable a user after 15 days of inactivity

Jump to solution

There is a key reason to use the LDAP approach.  Last Login is a Time sytnatx attribute and while the IDM Engine query cannot do a less than or greater than date search, LDAP can.

 

This is how the PWNotify works. It can query between last run and now, for all objects whose Password Expiration time is in that window.  (Less than NOW greater than LastRun).

I did an extension to the PWNotofy that reports/emails when Account Expiration is starting to come due.

You could modify that triivially as an example to look at Last Login time.

 

Check out my package Repo for this package:

 CIS-PWNOTIFY_0.0.3.20150310112716.jar

It is an add on to the PWNotfify driver.  You can copy and change the few bits you need changed.

 

Repo is:

https://idmfolder.ciscony.com/repo/cis-idm-repo/

Knowledge Partner
Knowledge Partner

Re: Policy to disable a user after 15 days of inactivity

Jump to solution

If you do figure it out, and are willing, please update the package and share it back to me. (You can use Stefaan's package unlocker if you wanted to do that).

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.