cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Is there a history of deleted identities?

Former Member

on ‎10-27-2014 3:36 PM

0 Kudos

Dear All,

as part of process when user leave company, we want to delete it's identity from IdM 7.2

But I am not sure how/if we can then get history of the identity from IdM.

What is best practice when using IdM ?  To delete or to put identity into inactive state?

The inactive functionality as I understand it is meant for e.g. maternity leave etc.

That's coming from fact, that by inactivating identity all the privileges are not deleted completely, so when identity is activated, it receive back all the previously assigned roles.

Reason for need of historical data availability in IdM is obvious. In Backend system we only see the change on user was done by RFC user, so we need to be able track in IdM who was the individual who did trigger the change.

Thanks for any help here.

Jiri

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

jaisuryan
Active Contributor
‎10-27-2014 4:12 PM
0 Kudos

Hi Jiri,

We cannot get history details if you delete the user from IS.

When a user leaves company, you can assign MX_FS_EMPLOYMENT_STATUS (or any other custom attribute) as Archived to identify the user is Archived and remove all privileges from the user before inactivating (setting MX_INACTIVE to 1) the user; make sure you give enough time gap between removing all access and inactivating tasks.

Kind regards,

Jaisuryan

Show replies
Show replies
Former Member
‎10-27-2014 4:22 PM
0 Kudos

Hi Jai,

thanks for your reply.

Basically we use similar approach for renaming identities, where we deprovision all privileges, then wait 10 minutes before setting MX_INACTIVE = 1.

But what I don't understand is the idea of setting attribute into Archived status.  Can you point me to some official guide? Is it something how to prevent further modifications on the attribute?

Thanks,

Jiri

jaisuryan
Active Contributor
‎10-27-2014 4:32 PM
0 Kudos

Hi Jiri,

This is for better segregation of Active and Archived users and it doesn't stop further modification (MX_INACTIVE does it). One can use many ways to identify the active and archived users as per your client requirement.

Setting MX_INACTIVE to 1 doesn't necessarily mean the user is Archived, may be some company set MX_INACTIVE to 1 for employees in maternity leave or for any reason for that matter.

Kind regards,

Jaisuryan

Ask a Question