Staged deprovision of user account

ScotJay over 1 year ago

Hey,

I'm just wondering if it is possible to disable the ability to delete a user account, unless it has been deprovisioned.

Thanks,

Top Replies

JohnnyQuest over 1 year ago +1

You could customize the Delete menu item for user objects in the web UI such that it checks to see if the edsvaDeprovisionStatus = 1

See Command Visibility Options this section of the documentation.

Have a…

0 JohnnyQuest over 1 year ago

You could customize the Delete menu item for user objects in the web UI such that it checks to see if the edsvaDeprovisionStatus = 1

See Command Visibility Options this section of the documentation.

Have a look see and re-post here if you have further questions.

Alternatively, you could simply not grant delete permissions at all and make the deletion part of your deprovisioning policy - for example, such that objects that are deprovisioned get deleted the next day or whatever interval you want.
Cancel
Up +1 Down

Reply

Verify Answer

Cancel
0 ScotJay over 1 year ago

Command visibility options! Brilliant, thank you!

One further question on the same topic...

Could a workflow further apply granularity to this particular feature? I've been experimenting with that in our test env, but can't get it work...

... to use multiple if/else branches, examining edsvaDeprovisionStatus, one branch performing "Delete Object" if equals "1" ; the other performing "stop/break" (with notification "cannot delete" - not sure how to do that) if empty or not equal to "1".

I guess workflow can't be used for this?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 JohnnyQuest over 1 year ago in reply to ScotJay

You can go at this a couple of ways:

1) If / then else
2) By looking at this property of the "Workflow Target" in the bottom pane of the start conditions of your workflow and screening out objects where the value is not '1'
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 ScotJay over 1 year ago in reply to JohnnyQuest

Hey JohnnyQuest ,

I've been trying to set this up with the following workflow, with no success. Admin is still able to delete without first deprovisioning, via ARS Web. Did I miss something?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 ScotJay over 1 year ago in reply to JohnnyQuest

Hey JohnnyQuest

I'm struggling to get the workflow working properly. The way it is set up it should block delete, if edsvaDeprovisionStatus <> 1 AND Initiator is member of ZZ-Test-GAM-A-Admins, but it is still allowing delete regardless. Am I missing something?

Links to screenshots of workflow...

put.c0r73x.net/93m8896n.png
put.c0r73x.net/52nzr6oa.png
put.c0r73x.net/x16fvv11.png
put.c0r73x.net/bxtz0fzj.png
put.c0r73x.net/48stt977.png
put.c0r73x.net/xkuorrnc.png
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 JohnnyQuest over 1 year ago in reply to ScotJay

In the Initiator memberships, I think the logical operator should be 'contains' rather than 'equals'.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Endpoint Privilege Management

Staged deprovision of user account

Top Replies