Symantec IGA

  • Private Community
Back to discussions
Expand all | Collapse all

How IDM handling dormant account of AD,LDAP.

  • 1.  How IDM handling dormant account of AD,LDAP.

    Posted Jan 02, 2019 05:47 AM
    1. Refer to Dormant account  Diagram below. IDM 14.1 had already integrated with AD, IBM LDAP in UAT environment.
    1. There is the mapping attribute  between IDM and AD,LDAP.
    2. we custom the java code to pull data from AD and LDAP (uid,lastSignon,CreateDate) because of IDM could not use  the existing  value in both AD and LDAP to compare the date.

                     e.g. "20170518074632.000z" The main function of code  is convert  “LastSignOn” and “CreateDate” attribute in both AD and LDAP  to be "yyMMdd"  before  import the new value to IDM.

    1. Policy express will trigger account to be disable/delete if user did not sign on for 60days/90days.

     

    *Base on IDM feature, there is the default connector of AD. For LDAP we customize the connector.

     

    Q1. Are there any common feature  in IDM 14.1 to transform data for handling dormant account?  we would like to know the best practice  to configure in case of there are more applications integrate with IDM in the future.

                  Q2. Could anyone recommend the currently design for  dormant account handlers in IDM 14.1 below? Any additional recommendation?

                 Q. Can i use PX to transform the date format from AD and LDAP?

     



  • 2.  Re: How IDM handling dormant account of AD,LDAP.
    Best Answer

    Broadcom Employee
    Posted Jan 02, 2019 10:56 AM

    The simplest way to handle this is to leverage Siteminder Advanced password services, when a user logs in force the change of a password past a certain date.

     

    for your 

    Q1. Are there any common feature  in IDM 14.1 to transform data for handling dormant account?  we would like to know the best practice  to configure in case of there are more applications integrate with IDM in the future.

     

    Answer: No, this does not exist out of the box

     

                  Q2. Could anyone recommend the currently design for  dormant account handlers in IDM 14.1 below? Any additional recommendation?

     

                 Answer: if your system is robust enough you may be able to leverage PX with a bulk task on a schedule.

     

                 Q. Can i use PX to transform the date format from AD and LDAP?

                  Answer: yes, but depends on complexity

     

    Bill Patton



  • 3.  Re: How IDM handling dormant account of AD,LDAP.

    Posted Jan 04, 2019 04:54 AM

    Thank you.