Is there a way for RSA to automatically disable an account after a set amount of days if the user does not log in? For example, if a user does not log in, their account is disabled after 35 days of not logging in.
I've moved your question to the RSA SecurID Access space where it will be seen by the product's support engineers, other customers and partners. Please bookmark this page and use it when you have product-specific questions.
Alternatively, from the RSA Customer Support page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question. From there, scroll to RSA SecurID Access and click Ask A Question. That way your question will appear in the correct space.
+ + +
To answer your question, RSA Authentication Manager does not have that functionality. Please add your idea to RSA Ideas for RSA SecurID Access, where it can be voted on by other users of the product. It will also be seen by product management and considered for a future release.
RSA Authentication Manager can set account expiration times, but not triggered my inactivity, this is set by an Admin:
You can run a report 'users with days since last login using specific token'
to hunt for stale accounts/tokens to know which ones might be candidates to disable:
If you run this with serial number range from 000000000000 to 999999999999
it will effectively show all users and all 'last login dates':
example: on my test system I ran the report with the above serial number bounds and it showed me:
I'm aware of this functionality but we just went through a FedRAMP assessment and they want us to be able to set it to disable the account if the user does not log in for 35 days automatically. We presently run the report mentioned by another to disable the accounts manually. The assessor wants us to be able to do it automatically so there's no room for human error.
There is currently no automated, built-in mechanism to perform this function. There are many situations were strong-authentication is used for infrequently accessed accounts where this could be problematic. I think that RSA Authentication Manager Bulk Administration (AMBA) could be used to implement this policy (both locating users and perform bulk user 'disable' actions).
A more holistic approach would involve a user's Identity Source (i.e. AD/LDAP) account. If a user was to be disabled, their LDAP account would get disabled (which a connected RSA Authentication Manager would respect during authentication attempts).
Retrieving data ...