Identity Governance Challenge #4: How to automate revoking permissions of deprovisioned user accounts?

Identity Governance Challenge #4: How to automate revoking permissions of deprovisioned user accounts?


Insider threats arise from two kinds of employees. The first is negligent employees and the second kind would be employees with malicious intent. The second category consists of employees currently with the organization and those who've quit. While the first category can be dealt with by creating awareness about potential security threats, the second category is more complex. Ensuring principal of least privileges can help avoid threats from employees who are with the organization. To protect the organization from employees who have quit, it is mandatory to have foolproof deprovisioning policies in place.

ADManager Plus' automated deprovisioning feature coupled with coupled with its customizable delete policy can help you automatically deprovision user accounts and divest them of all the access privileges. The following steps will guide you through the process.


 

1. Set up the delete policy

    1. Navigate to Admin tab > Custom Settings > Delete/Disable Policy

    2. Select the domain you wish to enforce the delete policy in and then select the Delete Policy tab.

    3. Select the actions like delete homefolders and mailboxes, revoke Office 365 licenses, etc that must be automatically triggered when a user account is deleted.

    4. Click Save.

 

2. Configure automated deprovisioning of user accounts

    1. Navigate to Automation tab > Automation > Create New Automation and configure the following settings.

    2. Automation policy Name and Description - Enter a suitable name and description for the automation process.

    3. Automation Category - Choose User Management.

    4. Domain - Choose the domain and OUs where the task should be run in.

    5. Automation Task/Policy - From the 'Automation policy' list, select the 'user deprovisioning' policy.

    6. Location of CSV - Choose the location of your CSV file which contains the list of users to be deprovisioned.

    7. Implement Business Workflow - Enable this option if you wish that the user deletion be carried out after approval. This option will automatically create a 'delete user' request; once it is approved by the appropriate technician or user mentioned in the workflow, the user account will be deleted from AD.

    8. Select the Execution time and Frequency at which you want the automated user deprovisioning to be done.

    9. Enable the Notification option if you wish to notify the technician every time the automation gets executed.

    10.  Click Save.

 

This brings us to the end of the Identity Governance Challenges series, which focused on Identity Governance challenges, and solutions for standardizing access policies across the organization,  setting up an organization wide approval processes for Identity Management, and keeping track of employees accessing critical data. Tune in next week for another article to help you manage your AD better.

 

Cheers,

Team ADManager Plus.

                New to ADSelfService Plus?