This topic contains 5 replies, has 3 voices, and was last updated by  ivano.vingiani 1 year, 5 months ago.

  • Author
    Posts
  • #20440
     ivano.vingiani 
    Participant

    We’ve got a requirement to expire temporary users after a given time but I can’t even see the user creation date.

    Is there a way to retrieve it? Is it possible to have a script in IDM that automatically disable a user after expiration?

    #20449
     Bill Nelson 
    Participant

    Provisioning tools such as OpenIDM have the concept of a sunrise and a sunset date. The sunrise date allows you to configure a user’s accounts ahead of time, but don’t activate them until the sunrise date his reached. Alternately, the sunset date allows you to set an expiration date in which their accounts become automatically disabled (or whatever you choose to do on that date). OpenIDM has a Task Scanner that runs and acts on the scripts associated with these dates.

    It seems to me that the sunset date would serve your purpose. In using this functionality, you set the date that the user’s account is to expire when you create the user. A good example is that you set a sunset date for a contractor to be the date of the termination of their contract.

    For more information on the Task Scanner and Sunrise/Sunset dates, look here: https://backstage.forgerock.com/docs/idm/5.5/integrators-guide/#task-scanner

    #20451
     ivano.vingiani 
    Participant

    Thanks Bill, that was useful.

    #20454
     ivano.vingiani 
    Participant

    I’ve created a task as per the example but the records are not being modified.
    Looking at the tasker’s log I see:

    {“state”:”COMPLETED”,”processed”:0,”total”:1,”successes”:0,”failures”:0}

    So the tasker did find a matching record but for some reason didn’t process it.

    #20459
     Mike Jang 
    Moderator

    Hi Ivano,

    Just checked a hunch — if you’re working with IDM 5.5, and have set up user self-registration, you should be able to get date info related to new users from audit/activity.audit.json.

    I tried it, and I see the following info in my version of that file:

    {
    “transactionId”: “8260562c-8c1b-4bde-b685-936f22fd27fd-703”,
    “timestamp”: “2018-01-10T16:39:31.749Z”,
    “eventName”: “activity”,
    “userId”: “anonymous”,
    “runAs”: “anonymous”,
    “operation”: “CREATE”,
    “before”: null,
    “after”: {
    “kbaInfo”: [
    {
    ….
    “userName”: “mike”,
    “givenName”: “Mike”,
    ….

    #20465
     ivano.vingiani 
    Participant

    I managed to get it work following this guide: https://backstage.forgerock.com/docs/idm/5.5/integrators-guide/#task-scanner

    For some reason the property used in the query filter has to be an Object (not mentioned in the guide), otherwise it fails

    `WARNING: Taskscanner failed with unexpected exception
    org.forgerock.json.JsonValueException: /0/expiry: Expecting a Map or List’

    Just seems strange that the tasker logs doesn’t report it as a failure.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?