Project

General

Profile

Actions

Task #2968

open

Password expiration will not process user in excluded state

Added by Ondřej Kopr about 3 years ago. Updated about 3 years ago.

Status:
New
Priority:
Normal
Assignee:
Ondrej Husník
Category:
Password
Target version:
-
Start date:
10/04/2021
Due date:
% Done:

0%

Estimated time:
Owner:

Description

Long running task PasswordExpiredTaskExecutor doesn't process users in excluded state.

We want also for this kind of users set this flag into end system.

Please it is possible update the LRT PasswordExpiredTaskExecutor that also users in excluded state will be included :)


Related issues

Related to IdStory Identity Manager - Task #1724: Filtering and labeling of excluded usersClosedVít Švanda06/17/2019

Actions
Actions #1

Updated by Ondřej Kopr about 3 years ago

Now doesn't exist simple workaround that process excluded users :( only project specific LRT

Actions #2

Updated by Radek Tomiška about 3 years ago

Lookout: Excluded users = Inactive users (see #1724). Are you sure, you want to notify inactive users?

Actions #3

Updated by Radek Tomiška about 3 years ago

  • Related to Task #1724: Filtering and labeling of excluded users added
Actions #4

Updated by Vladimír Kotýnek about 3 years ago

The LRT won't process "manually disabled" or "left" or any "disabled" identities too. Funny thing is that the LRT processes them after they are switched back to "valid" state. The disabled identities are not present in the queue of the LRT. This might cause situations where an employee quits a job in organization and is rehired later (e.g. after few years) or returns after "exclusion", her/his identity is enabled by sync of HR system and HR processes and after that she/he receives a notification about password expiration.

I would be very careful when implementing this change because after deploying it CzechIdM might send a lot of unwanted notifications. There will be plenty of disabled identities with expired password which are not present in the LRT's queue.

Also I don't think it's a good idea to notify disabled users. I understand your need to do the provisioning on the account regardless of the identity state.

Actions

Also available in: Atom PDF