Automatically un-assigning RSA Software Tokens from Users still active in AD
Is there a report/job that can be run to automatically un-assign RSA Software Tokens from users who have not used their Token for 4 months or more. I'm currently doing this job manually at the beginning of each month.
The users are still active in AD but there has been no activity on their Token so we'd like to be able to recycle them.
The all users report has last login date. There is another report for listing last login for a specific token (users with days since last login using specific token). However, tokens are never automatically unassigned unless you are replacing them, and when the replacement is first used, the original token is then unassigned.
There are two problems here;
1. identifying the users who have not used their token in a 'long time' - that's solved with a report
2. un-assigning the tokens from those users identified in step 1
That's why there is not single easy report/job that can identify and un-assign, and why you are currently doing this manually.
If your users are in an external Identity Source like Active Directory, you might make this job easier if you could move them out of scope of what Authentication Manager sees, at which point their tokens will be unassigned during the next clean up job, which you could schedule nightly.
This KB explains how to map an Identity Source to a group in AD, so that only users in the group are seen by AM so that tokens can be assigned
If you take your last login date report, you might be able to move lots of users out of this group at one time, so that at the next clean up job their tokens are un-assigned
A second approach might be to output your report of last login to .csv file with userIDs, and use that as input to an AMBA script to unassign tokens from those users