Organizations using Symantec VIP often configure lifecycle policies such as credential expiration, credential removal, and automatic user deletion to manage inactive users and reclaim licenses.

This article clarifies how these policies work, their limitations, and recommended practices for managing inactive users.

Symantec VIP

1. Can VIP Predict Which Users Will Be Impacted by Cleanup Policies?

Symantec VIP does not provide a built-in reporting mechanism that can simulate or forecast which users will be affected by credential expiration or automatic user deletion policies on a specific future date.

The cleanup actions are executed automatically based on the configured policy criteria during the system’s scheduled maintenance cycle.

Recommended Approach

To estimate potential impact before adjusting policies:

• Export or review user data from VIP Manager.

• Identify users with:

  • No recent authentication activity

  • Expired or unused credentials

  • No credentials assigned

• Perform internal analysis to estimate the number of users that may be affected.

This approach can help organizations prepare before implementing stricter lifecycle policies.

2. Can the Number of Users Deleted Per Day Be Controlled?

Currently, VIP does not provide a mechanism to throttle or limit the number of users deleted per cleanup cycle.

The system automatically evaluates all users that meet the configured criteria and processes them during the scheduled maintenance run.

Organizations planning significant policy changes may consider gradual policy adjustments (for example reducing inactivity thresholds in stages) to monitor the impact.

3. Why Are Some Inactive Users Not Being Deleted?

In some cases, users who appear inactive may remain in VIP Manager. One common reason is related to how the automatic deletion policy evaluates inactivity.

The policy typically relies on authentication activity or credential lifecycle events. If a user:

• Never had credentials assigned, or

• Never authenticated,

there may not be sufficient activity metadata available for the system to evaluate the account as inactive. As a result, such users may remain in VIP Manager even though they appear unused.

4. When Does the VIP Cleanup Process Run?

According to VIP engineering, the cleanup process runs daily during the last data refresh cycle, typically:

~11:59:59 PM UTC

During this cycle, VIP evaluates all accounts against the configured policies and deletes any users that meet the criteria.

5. Why Are Users Being Created via the MyVIP Portal?

If new user accounts are appearing automatically, it is likely because MyVIP self-registration (self-enrollment) is enabled in the tenant.

This feature allows users to:

• Create their own VIP accounts

• Register credentials through the MyVIP self-service portal

How to Control This Behavior

Administrators can review and modify these settings in VIP Manager.

If self-registration was previously enabled, it is recommended to review recently created users to ensure only authorized accounts remain active.

6. Should Access to MyVIP Be Completely Blocked?

By default, all users can access the MyVIP portal to manage their credentials.

VIP Manager includes an option to “Block all access to My VIP.” However, this option blocks all users from accessing MyVIP, which may interfere with normal credential management workflows. For this reason, Broadcom generally does not recommend completely blocking MyVIP access.

Recommended Alternative

Instead of blocking MyVIP entirely, administrators can apply more granular controls:

• Restrict access by user groups

  • Navigate to: Accounts → Manage User Groups

• Allow or block access by IP address

  • Use the Allow/Block IP address policy to restrict access to trusted networks only.

This approach provides better control while maintaining necessary functionality for credential management.