Using TDI to inactivate orphaned users after X-days

Using TDI to inactivate orphaned users after X-days

Hi all,

at IBMConnect I had several discussions if it is possible to automatically inactivate users that did not use IBM Connections for a specific time. The answer is yes – it is possible and we already had this customer requests.

I want to share how to write a simple assembly line that does this job.

Imagine you use the external feature and there are partners that only use the system once and then never again. You do not want to have your Connections wasted with thousands of orphaned profiles…

One way is to delete those users from LDAP (or remove a sync flag). But this is far too much effort and manual work.

The other way is to let TDI make this work for you.

The idea is to look into the profiles database (there is the table “PROFILE_LAST_LOGON” that always gets updated with the current date if you login any of the IBM Connections features) and check the date when the user logged into the system for the last time. Then you need to compare this with a desired “no logon limit”. If the user is beyond this date inactive the account in IBM Connections and remove sync flag and Password from LDAP (this would be only possible if the LDAP is not used for something else).

So especially for external users this makes absolutely sense to have an automation for this process.

Let`s see how I solved this:

First of all I created a property file to hold several properties that might change. As we use this assembly line in combination with our user manager, I called this property file UserManager.properties:

disableExt6

  • days_nologin_limit –> specify the amount of inactive days, the account should get inactivated
  • ldap_lc_attr –> If you use a flag to synchronize users you can specify this here (e.g. description=ic)
  • ldap_password_attr –> I want TDI to remove the password from LDAP when the user gets inactive
  • source_ldap_user_login –> LDAP user with write access
  • source_ldap_user_password –> Password for LDAP user with write access
  • sync_employee_column –> database cloumn that is used for synchronising (could be also email or guid)
  • sync_ldap_attr –> ldap attribute used for synchronising users between LDAP and database (could be also email or guid)

Now we start a new assembly line

disableExt1

Iterator

The iterator creates a database connection to the profiles database (What ever feature you use to login the profiles database table PROFILE_LAST_LOGIN always gets updated with a new timestamp)

disableExt2

we query the EMPINST schema and table PROFILE_LAST_LOGIN

As PROFILE_LAST_LOGIN only contains the PROF_KEY which is not readable or useable in combination with your LDAP, we need to do a joined database query:

disableExt3

 

SELECT e.{property:UserManager.sync_employee_column} as profile_uid, p.prof_last_login as last_login 
from EMPINST.employee e join  EMPINST.PROFILE_LAST_LOGIN p on e.prof_key = p.prof_key 
WHERE days(current date) - days(p.prof_last_login) > {property:UserManager.days_nologin_limit}
AND e.prof_mode=1

The query uses properties from its own property store (I explained it before). In this example, only external users are taken into account (you could change or remove prof_mode to also include internal users)

A script “log_and_set_attributes” is created

disableExt4

This script removes the content of the LDAP attribute used for synchronizing (e.g. you only synchronize users that have a flag “description=ic” set in LDAP). Furthermore the password attribute used in LDAP is overwritten with an empty value.

The LDAP connector “disable_user_in_ldap” uses the above attributes and writes empty strings into the sync attribute and the password field (removing the LDAP password is optional).

For this connector we use a custom shortcut to make use for the flexible attribute settings in the properties file:disableExt5

Now you can wait until “sync_all_dns” inactivates the user. Or use the profile connector to directly inactivate the corresponding user.

You can directly download the assembly line and the property file disableExtUsers

You might need to change some directory settings when you directly import the AL.

I hope you like it 😉

Leave a Reply

Your email address will not be published. Required fields are marked *