I would like to hear your thoughts on how I can meet the following business requirement in RSA Via 6.9.1 P10 -
Application accounts which have not been used in the last 90 days+ should be disabled.
To help meet this requirement, I have tried following approaches -
1) Create a custom task to find accounts with last login < (sysdate) - 90, and then pass that information on to a sub-process which in turn calls a fulfillment workflow to send out disablement notifications. This approach didn't work because in 6.9.1 functionality to call other workflows from a custom task doesn't work. I was told to engage engineering team to look into this.
2) Tried creating a account access rule, but this type of rule doesn't allow me to specify account filtering conditions.
3) Created an account review to capture inactive accounts and then perform a bulk action (as the review owner) to revoke all items. Review ended up creating change requests to disable accounts.
Approach #3 is the closest I got to implementing this use case, but I think this approach has a lot of manual overhead and requires a review to be created just to be able to disable accounts.
I am out of ideas at this time and would love to hear community's thought on this.