AnsweredAssumed Answered

Disable Inactive Accounts

Question asked by Prateek Bhatnagar on Aug 19, 2016
Latest reply on Aug 30, 2016 by Prateek Bhatnagar

Like • Show 0 Likes0
Comment • 13

Hello everyone,

I would like to hear your thoughts on how I can meet the following business requirement in RSA Via 6.9.1 P10 -

Application accounts which have not been used in the last 90 days+ should be disabled.

To help meet this requirement, I have tried following approaches -

1) Create a custom task to find accounts with last login < (sysdate) - 90, and then pass that information on to a sub-process which in turn calls a fulfillment workflow to send out disablement notifications. This approach didn't work because in 6.9.1 functionality to call other workflows from a custom task doesn't work. I was told to engage engineering team to look into this.

2) Tried creating a account access rule, but this type of rule doesn't allow me to specify account filtering conditions.

3) Created an account review to capture inactive accounts and then perform a bulk action (as the review owner) to revoke all items. Review ended up creating change requests to disable accounts.

Approach #3 is the closest I got to implementing this use case, but I think this approach has a lot of manual overhead and requires a review to be created just to be able to disable accounts.

I am out of ideas at this time and would love to hear community's thought on this.

Thanks,

Prateek

Vishwanath Babali

Aug 26, 2016 10:09 AM

Correct Answer

You may try to create CR using any browser based REST client first. Also attached is 'Workflow' guide by RSA which has detailed steps documented on using web service nodes.

As these accounts will be disabled only at certain conditions which in fact will be very less on daily basis (apart from initial one time run ) I don't think performance will be an issue.

See the reply in context

1 person had this question

Outcomes

Armel Lupapi Aug 22, 2016 7:32 AM

Hi,

Are you using AFX? If yes, you can:

1. collect the account last login from the source you are collecting from the source

2. Create a custom workflow (that auto runs every day) that contain an AFX node for fulfillment

3. Before it get to the fulfillment node, add a sql node that create a Yes or No variable from the last login date being bigger or smaller than 90 days/SYS date

4. When positive, the request goes on Fulfillment where it auto revoke the access; when negative, nothing happen

Actions

Prateek Bhatnagar Aug 22, 2016 11:21 AM

Hi Armel,

No, we're not leveraging AFX module in our environment as yet.

We plan on enabling AFX functionality in the future, but as of now, we're just sending out termination request emails to system administrators of systems involved in the request.

-Prateek

Actions

Armel Lupapi @ Prateek Bhatnagar on Aug 22, 2016 11:24 AM

Same logic should work, you replace the AFX node by a fulfilment node that either email or send a commands to the system admins.

Regards

Armel Lupapi

Group IT | armel.lupapi@investec.co.za<mailto:armel.lupapi@investec.co.za> | Tel: +27 11 286 8063 | Cell: +27 76 920 8549

Client Support Centre: +27 11 286 9663 / 0860 110 161 | www.investec.co.za <https://www.investec.co.za/>

“The best way to get started is to quit talking and begin doing.”

Attachments

image004.png4.8 KB
image003.jpg8.5 KB

Actions

Prateek Bhatnagar @ Armel Lupapi on Aug 22, 2016 3:39 PM

Hi Armel,

How do I add a fulfillment node in a custom task editor? I don't see that as one of the option to pick. Are you referring to 'Subprocess' node (and calling fulfillment workflow from there)? If yes, then we will run into a known bug where subprocesses are not getting called from within a custom task workflow.

Actions

Armel Lupapi @ Prateek Bhatnagar on Aug 23, 2016 3:07 AM

Yes, by making use of a sub-process that would call the fulfilment workflow.

Not a good news that it create a bug then.

This is the only suggestion I could have think about.

Just note that if ever you start using provisioning via AFX, you use a “Provisioning command” node under a custom workflow to fulfil it.

Good luck.

Regards

Armel Lupapi

Group IT | armel.lupapi@investec.co.za<mailto:armel.lupapi@investec.co.za> | Tel: +27 11 286 8063 | Cell: +27 76 920 8549

Client Support Centre: +27 11 286 9663 / 0860 110 161 | www.investec.co.za <https://www.investec.co.za/>

“The best way to get started is to quit talking and begin doing.”

Attachments

image002.png4.8 KB
image001.jpg8.5 KB

Actions

Prateek Bhatnagar @ Armel Lupapi on Aug 23, 2016 2:12 PM

Thanks for your input.

I have opened a case with RSA regarding this as well. I will update this thread if I hear anything worth sharing with the community.

-Prateek

Actions

Sean Miller

@ Prateek Bhatnagar on Aug 23, 2016 2:31 PM

This is not supported. We have hidden this menu in future releases as it adds nodes that don't make sense in this context. The node you mention only belongs in a fulfillment workflow

Actions

Boris Lekumovich

@ Sean Miller on Aug 23, 2016 2:35 PM

I will delete my comment to avoid confusion

Actions

Armel Lupapi @ Boris Lekumovich on Aug 29, 2016 4:04 AM

Thank you

Regards

Armel Lupapi

Group IT | armel.lupapi@investec.co.za<mailto:armel.lupapi@investec.co.za> | Tel: +27 11 286 8063 | Cell: +27 76 920 8549

Client Support Centre: +27 11 286 9663 / 0860 110 161 | www.investec.co.za <https://www.investec.co.za/>

“The best way to get started is to quit talking and begin doing.”

Attachments

image008.jpg332 bytes
image007.jpg524 bytes
image006.png4.8 KB
image005.jpg8.5 KB

Actions

Vishwanath Babali

Aug 24, 2016 4:04 PM

Prateek,

Below approach might work:

1. Create a custom WF and get all the accounts to be disabled

2. Add 'Next Value/Loop Node'

3. Call 'REST WebService Node'. Invoke RSA IGL's WebService request command: "CreateChangeRequest" to disable the account.

This should create an 'account disable' CR.

4. On successful CR creation you can can send notification via mail node.

Actions

Prateek Bhatnagar @ Vishwanath Babali on Aug 25, 2016 11:32 AM

Hi Vishwanath,

That's what I am trying now but having trouble invoking Aveksa's webservice from the workflow. Do we have any documentation on this?

Also, any perforamance consideration for invoking webservices in a loop?

Actions

Vishwanath Babali

@ Prateek Bhatnagar on Aug 26, 2016 10:09 AM

You may try to create CR using any browser based REST client first. Also attached is 'Workflow' guide by RSA which has detailed steps documented on using web service nodes.

As these accounts will be disabled only at certain conditions which in fact will be very less on daily basis (apart from initial one time run ) I don't think performance will be an issue.

Attachments

Workflows Guide - RSA IGL.pdf2.9 MB

Actions

Prateek Bhatnagar @ Vishwanath Babali on Aug 30, 2016 11:59 AM

Thanks for the guide. I am able to implement the desired workflow now!

-Prateek

Actions

13 Replies

Armel Lupapi Aug 22, 2016 7:32 AM
Mark Correct
Correct Answer
Hi,

Are you using AFX? If yes, you can:
1. collect the account last login from the source you are collecting from the source
2. Create a custom workflow (that auto runs every day) that contain an AFX node for fulfillment
3. Before it get to the fulfillment node, add a sql node that create a Yes or No variable from the last login date being bigger or smaller than 90 days/SYS date
4. When positive, the request goes on Fulfillment where it auto revoke the access; when negative, nothing happen
Like • Show 1 Like1
Actions
Prateek Bhatnagar Aug 22, 2016 11:21 AM
Mark Correct
Correct Answer
Hi Armel,

No, we're not leveraging AFX module in our environment as yet.

We plan on enabling AFX functionality in the future, but as of now, we're just sending out termination request emails to system administrators of systems involved in the request.

-Prateek
Like • Show 0 Likes0
Actions
- Armel Lupapi @ Prateek Bhatnagar on Aug 22, 2016 11:24 AM
  Mark Correct
  Correct Answer
  Same logic should work, you replace the AFX node by a fulfilment node that either email or send a commands to the system admins.
  
  Regards
  Armel Lupapi
  
  Group IT | armel.lupapi@investec.co.za<mailto:armel.lupapi@investec.co.za> | Tel: +27 11 286 8063 | Cell: +27 76 920 8549
  Client Support Centre: +27 11 286 9663 / 0860 110 161 | www.investec.co.za <https://www.investec.co.za/>
  
  “The best way to get started is to quit talking and begin doing.”
  Attachments
  - image004.png4.8 KB
  - image003.jpg8.5 KB
  Like • Show 0 Likes0
  Actions
  - Prateek Bhatnagar @ Armel Lupapi on Aug 22, 2016 3:39 PM
    Mark Correct
    Correct Answer
    Hi Armel,
    
    How do I add a fulfillment node in a custom task editor? I don't see that as one of the option to pick. Are you referring to 'Subprocess' node (and calling fulfillment workflow from there)? If yes, then we will run into a known bug where subprocesses are not getting called from within a custom task workflow.
    Like • Show 0 Likes0
    Actions
    - Armel Lupapi @ Prateek Bhatnagar on Aug 23, 2016 3:07 AM
      Mark Correct
      Correct Answer
      Yes, by making use of a sub-process that would call the fulfilment workflow.
      Not a good news that it create a bug then.
      
      This is the only suggestion I could have think about.
      Just note that if ever you start using provisioning via AFX, you use a “Provisioning command” node under a custom workflow to fulfil it.
      
      Good luck.
      
      Regards
      Armel Lupapi
      
      Group IT | armel.lupapi@investec.co.za<mailto:armel.lupapi@investec.co.za> | Tel: +27 11 286 8063 | Cell: +27 76 920 8549
      Client Support Centre: +27 11 286 9663 / 0860 110 161 | www.investec.co.za <https://www.investec.co.za/>
      
      “The best way to get started is to quit talking and begin doing.”
      Attachments
      image002.png4.8 KB
      image001.jpg8.5 KB
      Like • Show 0 Likes0
      Actions
      - Prateek Bhatnagar @ Armel Lupapi on Aug 23, 2016 2:12 PM
        Mark Correct
        Correct Answer
        Thanks for your input.
        
        I have opened a case with RSA regarding this as well. I will update this thread if I hear anything worth sharing with the community.
        
        -Prateek
        Like • Show 0 Likes0
        Actions
    - Sean Miller @ Prateek Bhatnagar on Aug 23, 2016 2:31 PM
      Mark Correct
      Correct Answer
      This is not supported. We have hidden this menu in future releases as it adds nodes that don't make sense in this context. The node you mention only belongs in a fulfillment workflow
      Like • Show 0 Likes0
      Actions
      - Boris Lekumovich @ Sean Miller on Aug 23, 2016 2:35 PM
        Mark Correct
        Correct Answer
        I will delete my comment to avoid confusion
        Like • Show 0 Likes0
        Actions
        Armel Lupapi @ Boris Lekumovich on Aug 29, 2016 4:04 AM
        Mark Correct
        Correct Answer
        Thank you
        
        Regards
        Armel Lupapi
        
        Group IT | armel.lupapi@investec.co.za<mailto:armel.lupapi@investec.co.za> | Tel: +27 11 286 8063 | Cell: +27 76 920 8549
        Client Support Centre: +27 11 286 9663 / 0860 110 161 | www.investec.co.za <https://www.investec.co.za/>
        
        “The best way to get started is to quit talking and begin doing.”
        Attachments
        image008.jpg332 bytes
        image007.jpg524 bytes
        image006.png4.8 KB
        image005.jpg8.5 KB
        Like • Show 0 Likes0
        Actions
Vishwanath Babali Aug 24, 2016 4:04 PM
Mark Correct
Correct Answer
Prateek,
Below approach might work:

1. Create a custom WF and get all the accounts to be disabled
2. Add 'Next Value/Loop Node'
3. Call 'REST WebService Node'. Invoke RSA IGL's WebService request command: "CreateChangeRequest" to disable the account.
This should create an 'account disable' CR.

4. On successful CR creation you can can send notification via mail node.
Like • Show 1 Like1
Actions
- Prateek Bhatnagar @ Vishwanath Babali on Aug 25, 2016 11:32 AM
  Mark Correct
  Correct Answer
  Hi Vishwanath,
  
  That's what I am trying now but having trouble invoking Aveksa's webservice from the workflow. Do we have any documentation on this?
  
  Also, any perforamance consideration for invoking webservices in a loop?
  Like • Show 0 Likes0
  Actions
  - Vishwanath Babali @ Prateek Bhatnagar on Aug 26, 2016 10:09 AM
    Unmark Correct
    Correct Answer
    You may try to create CR using any browser based REST client first. Also attached is 'Workflow' guide by RSA which has detailed steps documented on using web service nodes.
    
    As these accounts will be disabled only at certain conditions which in fact will be very less on daily basis (apart from initial one time run ) I don't think performance will be an issue.
    Attachments
    Workflows Guide - RSA IGL.pdf2.9 MB
    Like • Show 0 Likes0
    Actions
    - Prateek Bhatnagar @ Vishwanath Babali on Aug 30, 2016 11:59 AM
      Mark Correct
      Correct Answer
      Thanks for the guide. I am able to implement the desired workflow now!
      
      -Prateek
      Like • Show 0 Likes0
      Actions

Disable Inactive Accounts

Outcomes

Attachments

Attachments

Attachments

Attachments

Related Content

Recommended Content