Account Lifecycle Management

Account Lifecycle Management is the process of automating the management of accounts that have never completed registration, become inactive or disabled. This process can be enabled for the Tenant.

Process Overview

If enabled the process will loop through the user accounts and perform the following Account Lifecycle Management tasks:

1. Any user account that has never logged in or has not logged in for a configurable number of days will be sent an email warning them that their account will be disabled after a specified number of days.
2. Any user account that was previously notified of disablement will be disabled after a configurable number of days from the email notification. They will be sent an email warning them that their account will be deleted after a specified number of days.
3. Any user that has been disabled will be deleted after a configurable number of days since the account was disabled.
4. After all processing is completed, a summary email will go to configured recipient administrators.

For each of the 3 actions (deletions, disablements & notifications), the following exceptions can be configured:

• ​ Customize the filter to find users to process.
• ​ Skip processing certain user accounts.
• ​ Skip sending the user an email.

To have this feature configured for your Tenant contact Optimal IdM Support at support@optimalidm.com or enter a support ticket at https://optimalidm.zendesk.com/hc.

Process Specification

The Command Line application is "OptimalIdM.VIS.Federation.AcctLifecycleMgmt.exe". No input parameters are required. The application should be setup via a Windows Scheduled Task and only needs to run on one server per environment.

To enable this process for a Tenant set the “ACCT_LIFECYCLE_MGMT_ENABLED” configuration variable to enabled.

Application Process:

• Reads all Global Configs
• Loops through all tenants in the environment and if “ACCT_LIFECYCLE_MGMT_ENABLED” is enabled , it will do the following:

1. Reads all tenant specific configs.

2. Updates users with a future/calculated disable notification date. Applies to all users that are not already disabled, have not already been notified and does not currently have a future notification date.

   Note that this field will now be updated automatically upon each and every login.

3. Updates users with a future/calculated delete date. Applies to all users that are already disabled and do not currently have a future delete date.

4. Process Deletions: Any user that was previously disabled will be deleted after “x” number of days (ACCT_LIFECYCLE_DAYS_SINCE_TO_DELETE).

5. Process Disablements: Any user that was previously notified will be disabled after “x” number of days from notification date (ACCT_LIFECYCLE_DAYS_SINCE_TO_NOTIFY_OF_DELETION).

6. Process Notifications: Any user that has never logged in or has not logged in for “x” number of days (ACCT_LIFECYCLE_DAYS_SINCE_LAST_LOGIN_TO_NOTIFY_OF_DISABLEMENT) will be sent an email warning of upcoming account disablement.

7. After all processing is completed, a summary email of the Account Lifecycle Management actions taken will go to the recipients specified in the ACCT_LIFECYCLE_SUMMARY_EMAIL_FOR configuration variable. There can be none or multiple of these options (DEL_ADMINS, APP_ADMINS, MANAGERS).

Email Templates

1. EMAIL_TEMPLATE_ACCT_LIFECYCLE_NOTICE_OF_DISABLEMENT - Notice of future Account disablement.
2. EMAIL_TEMPLATE_ACCT_LIFECYCLE_NOTICE_OF_DELETION - Notice of future Account deletion.
3. EMAIL_TEMPLATE_ACCT_LIFECYCLE_ADMIN_SUMMARY - Summary of Lifecycle Management actions.

For each of the 3 actions (deletions, disablements & notifications), there is a plugin that allows you to override the following functions:

1. Build Filter: Can be used to customize the filter to find users to process.
2. Skip Processing: Can be used to skip processing certain user accounts.
3. Skip Email: Can be used to skip sending the user an email.