One Identity Manager Video Series, Video No. 4: Use cases – Deactivation and Password Changes

[MUSIC PLAYING] A very important part of lifecycle management is the ability, of course, to disable a user or to delete a user. In Identity Manager, we have a functionality called temporary disablement, which essentially means that we can quickly disable the user or inactivate a user, including all the target system where the user is represented. We can also do permanently disabled users and we can also, of course, delete records in the system and target system in Identity Manager itself, if needed. So we will start off by logging on as a manager. And in the manager, we will grab one of the users. I'm going to pick a user called Robert Palm. Now, Robert Palm is an active user, is located in Sweden, he actually works out of an office in Stockholm. And being a manager, I can look at his entitlements to see where what he actually had access to. Now, I can filter, I can group, I can do all sorts of things in this list of entitlements. So I will actually start off by saying I'm only interested to see that he has Group and Active Directory group membership. So I would just filter those two of the type. And as you can see on the screen, he has a list of Active Directory group memberships. Now, in order to temporarily disable or inactivate the user, I open up the master data, I scroll down, and I can see that there is a tick box here saying that I can temporarily disable the user. And I can also do that with an until date. That's typically used when you're on maternity leave, for instance, and you shouldn't have access to this solution because you're not working. So I can set a date here in the future. Let's just grab a date mid-February. And then I just simply press Save. What's going to happen now is that Identity Manager will inactivate the identity itself and also reach out to all the target systems and inactivate all the target system accounts this person have, and also take away all the entitlements that this person have. If we now go to the overview of the user after we have done this temporary inactivation, we can actually see that the user account that the person has are now inactivated. As you can see, it also said "User account is disabled." Effectively, what it means that this person cannot log on to the solution or do anything anymore. And also, if we open up the Active Directory Users and Computers and we search for this individual-- I should remember his name was Robert Palm. So I'll search for Robert, and I can see that there is a Robert Palm here, as you can see on the icon is disabled or inactivated. If I look at the membership list, he only belongs to the domain users now. He has no other Active Directory group memberships because as part of the inactivation process to take away all the entitlements and permissions you have in all your target systems. As you saw in the overview that the target system accounts were inactivated, we can also now again click on the entitlements for this person. As you remember, we filtered it because we were interested in Active Directory groups. And if I filter on this one now, as you can see, it's actually empty. Now, this has the effect of any connected target system that you might have. In this particular demo environment, we have an Active Directory as the target system. But it can be any kind of application connected by Identity Manager. It will behave in the very same way when you temporarily disable a user. All the entitlements will also be taken away from the user. But Identity Manager knows what kind of entitlement that user used to have. So if we go back to the user again now, it is in a temporary disabled state. We open up the master data, we scroll down to see that the person is temporarily disabled. Now, if we do nothing a month from now, the user will be activated again. But we can also manually take away this and say Save. What's going to happen if we do this is we're going to enable the user again. This is typically a very useful feature if you very quickly need to stop someone from being able to access the solutions or your applications or your IT landscape. So what's happening now in the background is that the system will reach out to any connected target system and it will activate all the accounts again and will also enable all the entitlements on the accounts again. So if I look at the overview, the graphical overview of the user if I scroll down, now you can see that accounts are no longer in that disabled state. They are now enabled. And also, if I go back to the overview of the person again and click on entitlements, and again, I'm going to filter on account Active Directory groups. I'm going to filter on it. And as you can see, they are also restored again. Now, to really be sure, I'm going to open up the Active Directory Users and Computers, I'm going to find Robert again here, search for Robert, and as you remember, it was Robert Palm. And as you can see now on the icon here, he's enabled again. He's back in business. And if I click on the members, as you can see, the list is now populated again with all the groups that he had before he was temporarily disabled. Now we're going to talk a bit about password reset. Password reset is offered as a self-service in Identity Manager. A user can reset their own password if they know their password. So you can lifecycle your password in a normal way. If the user forgets his password, the user