How can I generate a list of Internal Identity Provider's users that have not been active for a certain amount of time?
Also is there a way to delete those inactive users automatically?
Release : 10.1
Policy Manager inactive IDP users housekeeping
Out of the box, the Internal Identity Provider user's Maximum Inactivity Period policy is set to 35 days (Policy Manager > Tasks > Users and Authentication > Manage Administrative User Account Policy).
If a user is inactive for more than the defined period, it will be automatically disabled and no longer able to log in to the Policy Manager unless an Administrator enables back the user's account.
However, users assigned the role of 'Administrator' are exempt from this inactivity timeout. Reference: Manage Administrative User Account Policy
We can use the following MySQL query to list out all users + last activity recorded and their current state, where INACTIVE means past the 35 days mark (or whatever is the value set in the user's policy):
select login, FROM_UNIXTIME(last_activity/1000), state from ssg.logon_info;
Here is an example:
Regarding deleting inactive users:
1. For NON-Administrator users, we can execute the following query
delete from ssg.internal_user where enabled = 0;
The value of "0" means disabled.
2. For Administrator users, manually delete them in Policy Manager, as the Inactivity Enable/Disable policy feature doesn't apply to admin users.
NOTE: Please, always backup your database before making any change.