Skip to main content
Skip table of contents

Identity Deprovisioning mechanism

Introduction:


The Identity Deprovisioning service is able to synchronize periodically the registered identities in Veridium with the Identity Service (e.g. Active Directory via LDAP) and act upon the identity state. This solves the burden on administrators to manually identify and remove access to identities that are no longer relevant.

This mechanism also has a positive impact on product licenses, since they are consumed by any active Identity, even if the user behind it is no longer using the product.

Features & operation:

User deprovisioning service can be configured to run automatically based on a scheduled configuration managed in Veridium Mananger. The users are marked for deprovisioning or deleted automatically depending on the service configuration.

Configuration section is present in Dashboard / Settings / Deprovisioning tab and allow settings for removal conditions, cron scheduling for the job, days of inactivity for an identity:

  • Conditions for automatically deletion of identities are:
    - Disabled - for identities marked as such in the external system
    - Restricted - for identities removed from allowed groups
    - Not found - for identities removed from external system.

  • Identity Inactive Days controls how long a user is still displayed in the deprovisioning table & reports after deletion - hence the difference between “marked for deletion” and “deleted” statuses. This information is displayed for information purposes and the entries will be greyed out and inoperable in the table.


Note that for “Not found” criteria, usage with caution is recommended, since it can trigger false positive matches in some scenarios, such as external service not returning an answer to the query (but with valid users still present in it)

At the end of the synchronization, when at least 1 identity was marked for deprovisioning an email notification should be send to configured admins.
The email parameters and active status can be configured in Settings / Messaging / Notifications / “DEPROVISIONED_IDENTITIES” template.

Note: at least one Static Recipient must be configured for the email to be delivered.
A notification of user deprovisioning is sent when the synchronization mechanism will find in Active Directory any new user with status NOT_FOUND, RESTRICTED or DISABLED and this user will enter in the list of deprovision identities.

For example if a user identity is already present in deprovision identity list and an administrator reverts it, and in Active Directory his status is VALID (false positive from AD) then on next job execution (scheduled or manual) this user will not be presented anymore in the list and no notification will be triggered. 

Using Dashboard / Identities / Manage Deprovision Identities section, an administrator may review the users that are marked for deprovisioning (unless they are automatically removed) and have the following actions:

  1. Manually update the status

  2. Permanently delete an user or the entire list of users proposed for deprovisioning

  3. Download CSV report with the deprovisioned users that may be used to confirm their status with identity management team.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close