Skip to main content
Skip table of contents

Identity Deprovisioning mechanism

Introduction:


The Identity Deprovisioning service is able to synchronize periodically the registered identities in Veridium with the Identity Service (e.g. Active Directory via LDAP) and act upon the identity state. This solves the burden on administrators to manually identify and remove access to identities that are no longer relevant.

This mechanism also has a positive impact on product licenses, since they are consumed by any active Identity, even if the user behind it is no longer using the product.

Features & operation:

User deprovisioning service can be configured to run automatically based on a scheduled configuration managed in Veridium Mananger. The users are marked for deprovisioning or deleted automatically depending on the service configuration.

Configuration section is present in Dashboard / Settings / Deprovisioning tab and allow settings for removal conditions, cron scheduling for the job, days of inactivity for an identity, how many identities to display from database. In the right of the table we can check the status of the cron job:

  • Conditions for automatically deletion of identities are:
    - Disabled - for identities marked as such in the external system
    - Restricted - for identities removed from allowed groups
    - Not found - for identities removed from external system
    - Inactiv - for identities that have exceeded last active date.

  • Identity Inactive Days controls how long a user is still displayed in the deprovisioning table & reports after deletion - hence the difference between “marked for deletion” and “deleted” statuses. This information is displayed for information purposes and the entries will be greyed out and inoperable in the table.

  • Number of days that an identity is marked as inactive represents the criteria for mark a identity as Inactiv.

Note that for “Not found” criteria, usage with caution is recommended, since it can trigger false positive matches in some scenarios, such as external service not returning an answer to the query (but with valid users still present in it)

At the end of the synchronization, when at least 1 identity was marked for deprovisioning an email notification should be send to configured admins.
The email parameters and active status can be configured in Settings / Messaging / Notifications / “DEPROVISIONED_IDENTITIES” template.

Note: at least one Static Recipient must be configured for the email to be delivered.
A notification of user deprovisioning is sent when the synchronization mechanism will find in Active Directory any new user with status NOT_FOUND, RESTRICTED or DISABLED and this user will enter in the list of deprovision identities.

For example if a user identity is already present in deprovision identity list and an administrator reverts it, and in Active Directory his status is VALID (false positive from AD) then on next job execution (scheduled or manual) this user will not be presented anymore in the list and no notification will be triggered. 

Using Dashboard / Identities / Manage Deprovision Identities section, an administrator may review the users that are marked for deprovisioning (unless they are automatically removed) and have the following actions:

  1. Manually update the status

  2. Manually stop any running synchronisation job using stop button

  3. Permanently delete an user or the entire list of users proposed for deprovisioning using delete button

  4. Revert the identities that are marked for deletion using revert button

  5. Download CSV report with the deprovisioned users that may be used to confirm their status with identity management team.

Remove all deprovisioned identities button will delete all identities marked for deletion regardless current filter applied. If the user want to apply the deletion for some filters, then the checkbox from the left header of the table must be selected. From that moment the remove all deprovision identities button will be transform into Remove selected x identities which take into consideration the filters.

Same logic is applied for Revert all deprovisioned identities.

Cancel identity synchronization button will be active only when a current job is running, regardless if it is triggered automat or manual.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.