Lotus Notes Disabled Accounts
I'm looking to better understanding how Via recognizes Disabled LotusNotes accounts on collection (using the Lotus Nodes collector type).
I thought Via determines whether a LotusNotes account is disabled based on whether or not they are a member of the "Deny Access Groups" group, though this may not be the case. Does this instead use the "Account Disabled" parameter within the collector? And if so, what Boolean field from Notes should I be collecting from?
I ask this because I'm collecting LotusNotes accounts currently that aren't being shown as Disabled even though they are members of the "Deny Access Groups" group. Also, in turn CR's containing LotusNotes items aren't Verifying properly.
I admittedly don't know enough about the inner workings of LotusNotes, so any help would be appreciated.
- Community Thread
- disable account
- Forum Thread
- Identity G&L
- Identity Governance & Lifecycle
- lotus notes
- RSA Identity
- RSA Identity G&L
- RSA Identity Governance & Lifecycle
- RSA Identity Governance and Lifecycle
- RSA IGL
We populate an entry within the person file - specifically on the "Work/Home" > "Corporate Hierarchy Information" tab. I believe they use one of the 'Level' or '$dspLevel' variables to store a string. Likewise, you can use a variable to store a boolean flag (1 or 0) to denote active/terminated.
With the string option, I believe this is how ours is setup:
- If active (blank)
- If terminated (populated variable)
I don't think we rely on any group to determine if an account is disabled/terminated. I would check with your LN admin to see if they do something similar or if you can use a particular view to capture disabled/terminated accounts.
So the LotusNotes Collector uses the "Account Disabled" parameter alone to signify the account is disabled in Via?
The admin I'm working with has said that the only method they use for disablement is the Deny Access group. Other than that, there's the passwordReset field, but that's not a sure thing apparently.
You shouldn't be bound by a specific variable to determine enabled/disabled status, but I would recommend it for simplicity. I would think that you can create a Managed Attribute (account attribute) that you can populate given the membership (or lack of) based on your Lotus Notes ADC....
IF account is a member of Group X, then Disabled = True
ELSE Disabled = False
I haven't used managed attributes before, but they may help.
Here's my LN ADC:
I'm still running RSA IMG 6.9.1 P16...
I create a custom Collected Attribute (account) to signify disabled, but I just reviewed my settings for my LN ADC, and found that I'm only collecting the account expiration (date)...
Although our term process is a little wonky, for the most part, I always use collected attributes across the board.
I apologize if that doesn't help. I know that everyone's environment is a little different.
Via collects the disabled accounts from LotusNotes based on their presence in any DenyAccessGroups. i.e., if an account is present in the LN's deny access group then, the account will be collected as a disabled account in Via.
You can create a custom attribute (account) for collecting the disabled status and map it to IS_DISABLED on the collector configuration screen. This should collect the boolean value for account enable(0)/disable(1) status.