Identify Inactive Accounts With Cleanup?

book

Article ID: 194675

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP CA Web Administrator for Top Secret CA Cleanup

Issue/Introduction

PWEXP is currently set to 90 and is not changing. The objective is to disable user accounts that are inactive for more than a 30 day period (starts at day 31 - no matter where the user is in the 90 day password expire cycle). Can Cleanup identify inactive accounts so we can take action on them?

To disable inactive accounts, the PSUSPEND attribute will be added. Users will then be able to use the REMOVE PSUSPEND option in our Self Service tool to re-enable their account.

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

Yes, Cleanup can be used to report on acids not used in 31 days, however, Cleanup can not add the PSUSPEND attribute to any of these ACIDs. The MSCA ACID is the only ACID that can add PSUSPEND. (Other administrative ACIDs with the proper authority and scope can add SUSPEND, but this will ASUSPEND the ACID, not PSUSPEND it.) A batch job could be set up to run under the MSCA to add the PSUSPEND attribute to ACIDs that have not been used in 30 days.