Symantec IGA

 View Only
  • 1.  Expiring Inactive Accounts

    Posted Dec 12, 2024 12:57 PM

    We are beginning to research how to identify and remove stale or inactive accounts.  So the first question is any best practice documentation on that subject.  But secondly, I'm thinking about the "DisabledState=4" value which means the account is inactive.  We have a few accounts in this state but no where near the number of accounts that are actually inactive.  So how does an account get into that state?  My understanding is that the disablestate is updated at login.  But if an inactive account is not attempting to login, how does that account get updated to a disabledstate of 4 for inactive?

    I'm also thinking about the ModifyDate attribute which seems to be updated when the account is modified or when the account logs in or attempts to login.  So if that ModifyDate is old I would assume this indicates inactivity.  But that certainly isn't going to capture all of the inactive accounts.



  • 2.  RE: Expiring Inactive Accounts

    Broadcom Employee
    Posted Dec 13, 2024 04:05 AM
    Edited by Rinat Matityahu Dec 13, 2024 09:40 AM

    Hi Andy

    Do you have audit enabled in your environment for login events? 

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-5/configuring/auditing/configure-and-generate-audit-data-report.html

            <AuditEvent name="Login" enabled="true" auditlevel="BOTHCHANGED">
                <AuditProfile objecttype="USER" auditlevel="BOTHCHANGED"/>
                <EventState name="COMPLETE" severity="NONE"/>
                <EventState name="INVALID" severity="CRITICAL"/>
            </AuditEvent>
            <AuditEvent name="Logout" enabled="true" auditlevel="BOTHCHANGED">
                <AuditProfile objecttype="USER" auditlevel="BOTHCHANGED"/>
                <EventState name="COMPLETE" severity="NONE"/>
                <EventState name="INVALID" severity="CRITICAL"/>
            </AuditEvent>

    If this is in place, you could potentially run a query on the audit database and search for those users who did login within your preferred time range as explained in https://knowledge.broadcom.com/external/article/13116/how-to-extract-user-login-information-fr.html

    As a side note, while not quite you have asked for, re modify date - you should be able to use the ever so detailed information here https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=794002 to see the value of last modification in the modifyTimeStamp operational attribute.

    Hope this helps

    Regards

    Rinat



  • 3.  RE: Expiring Inactive Accounts

    Posted Dec 13, 2024 10:06 AM

    Hi Andy,

    You can find details about the bit-level enabled state integer referenced in the following locations:

    1. Summary of Values in CA Identity Manager (IM):
      A concise overview of the values and their meanings in IM is available here:
      CA Identity Manager - Possible Values for Enabled State

    2. In-Depth Explanation of Mixed State Values:
      This article provides an excellent explanation of how values are combined to represent a user's mixed state. Although it primarily references SiteMinder, the mathematical principles apply to IM as well. When IM and SiteMinder are integrated, SiteMinder's functionality takes precedence:
      Policy Server Disable Flag and SMAUTHREASON

    3. Alignment with Microsoft Active Directory (AD) User Status:
      Learn how the IM user status aligns with Microsoft AD user status:
      UserAccountControl - Manipulate Account Properties

    4. Mapping IM User Status with AD User Status:
      A guide to mapping the status values between IM and AD:
      Mapping IM and AD User Status

    Additional Suggestions:
    If you need to generate reports or provide data to auditors, consider these options:

    • Use a PX rule in IM to create custom reports.
    • Leverage LDAP search tools such as ldapsearch or dxsearch to extract and build reports.
    • For auditors, a read-only LDAP report tool like SoftTerra LDAP Browser is highly effective. It allows for PDF exports and ensures no modifications to the user store due to its read-only nature. The vendor provides this tool license-free:
      Download SoftTerra LDAP Browser

    I hope this helps! 

    Cheers,



    ------------------------------
    Alan Baugher
    ANA
    ------------------------------