Tried to create a policy in Null Driver that if an user not access his account for last 15 days , then system will disable that account.
- Open Login Time Filter in Null Driver.
- Mention Time in second in GCV
- Created rule rule to update Login Expiration time, using a GCV and XPATH.
But the XPath expression i think not working. Can anyone please help ?
Thanks for reply. I'm very much new to write policies. I've searched and found this link, according to this I've configured that policy. May I've to modify anything ?
We need a trace of the event but i guess you have a job and then read source or something like that.
I can recommend using Trigger-job in this case.
1. Run trigger job every night.
2. The driver will recognize this trigger and run query, to get a list of users. I use for this purpose Lothar's LDAP ECMA function (a good example of use in password notification driver). Function return nodeset of object DNs.
3. Policy initiate "disable" (or any other) activities for every object in this nodeset. (for-each)
There is a key reason to use the LDAP approach. Last Login is a Time sytnatx attribute and while the IDM Engine query cannot do a less than or greater than date search, LDAP can.
This is how the PWNotify works. It can query between last run and now, for all objects whose Password Expiration time is in that window. (Less than NOW greater than LastRun).
I did an extension to the PWNotofy that reports/emails when Account Expiration is starting to come due.
You could modify that triivially as an example to look at Last Login time.
Check out my package Repo for this package:
It is an add on to the PWNotfify driver. You can copy and change the few bits you need changed.
If you do figure it out, and are willing, please update the package and share it back to me. (You can use Stefaan's package unlocker if you wanted to do that).