AnsweredAssumed Answered

Disable Inactive Accounts

Question asked by Prateek Bhatnagar on Aug 19, 2016
Latest reply on Aug 30, 2016 by Prateek Bhatnagar

Hello everyone,

 

I would like to hear your thoughts on how I can meet the following business requirement in RSA Via 6.9.1 P10 -

 

Application accounts which have not been used in the last 90 days+ should be disabled.

 

To help meet this requirement, I have tried following approaches -

 

1) Create a custom task to find accounts with last login < (sysdate) - 90, and then pass that information on to a sub-process which in turn calls a fulfillment workflow to send out disablement notifications. This approach didn't work because in 6.9.1 functionality to call other workflows from a custom task doesn't work. I was told to engage engineering team to look into this.

 

2) Tried creating a account access rule, but this type of rule doesn't allow me to specify account filtering conditions.

 

3) Created an account review to capture inactive accounts and then perform a bulk action (as the review owner) to revoke all items. Review ended up creating change requests to disable accounts.

 

Approach #3 is the closest I got to implementing this use case, but I think this approach has a lot of manual overhead and requires a review to be created just to be able to disable accounts.

 

I am out of ideas at this time and would love to hear community's thought on this.

 

Thanks,

Prateek

Outcomes