6 Replies Latest reply on Apr 3, 2014 7:57 AM by Nils Drews

    A way to automatically deactivate a members account once they leave the company

    davegray

      Hello Doug MacKay Chris Becker and  dfaist

       

      This is David Gray. I had the pleasure of meeting you all at Jiveworld 2013. I'm running into a wall and wanted to see if any of you had come across an issue like this.

       

      When someone leaves the company, is there a way to automatically deactivate their account? We still want their content to remain. We are SSO so once they leave the company, they can no longer login, but when searched for in our Jive platform, their account still shows as active.

       

      Here is the conversation I had with Jive:

       

      "Deleting a user is the only way to permanently remove his or her content from the community so we will definitely want to stay clear of that method. When you Disable a user it will prevent them from logging into the community while leaving all of their content intact, except their names will not be searchable under People Search and it will show (Deactivated) next to their name if you click on a link to their page from a piece of content they created or in the modal on hover. This is the recommended practice for handling terminated or ex-employees.

      Now for the automation part. Jive doesn't automate anything, but since you're currently using SAML SSO you have a few options.

      1. Manually disable the users via the Admin Console after disabling them via SAML.
      2. Use the  disable the user through the Jive REST API v3.0 → Person service by setting them to  "enabled=false" after disabling them via SAML.
      3. Relay on the out of the box Profile Decay Functionality. This would involve disabling the user via SAML to prevent further login attempts and waiting for the decay task to disable them after the default 12 months, unless you want to speed that up through the System Property user.decay.period as seen in Undocumented Jive System Properties.
      4. Setup an engagement through your Account Manager with Professional Services to built an automated solution for you.

      Of course if you were using LDAP then you could either use "Disable federated user accounts not found in the directory" options as described in Synchronizing LDAP Users or "UserAccountControl" setting as described in Mapping Users from a Directory Server. Please let me know if you have any additional questions about this."


      Our tech states  "We do not integrate via LDAP to Jive so we cannot use the automated functionality. Your option is to manually disable them in Jive."


      Can someone tell me where to start on this issue?


      Thank you very much


      Dave Gray

        • Re: A way to automatically deactivate a members account once they leave the company
          dougmackay

          Hey Dave,

          We use SSO and ActiveDirectory and disable users automatically all the time.  I'm a little confused though on the "We don't integrate via LDAP" if you use SSO/SAML.  SSO needs to lookup to something in order for people to get access to stuff.  Do you know where your users are being authenticated from?  I'd first start by just getting clarification from the Tech on which directory service you're using. After that then I'd retest your authentication settings and if it is LDAP or AD (probably AD) then you'll be able to determine the easiest path.

           

          Our users go into a disabled users group in AD and that allows Jive to "disable" them, keeping their content available.  Hope that helps.

          • Re: A way to automatically deactivate a members account once they leave the company
            beckercs

            Hey Dave,

             

            Same as Doug - we have SSO integration to the ED (not yet AD) - users are deactivated in the ED and then Jive deactivates them. We keep their content but they are associated with a 'PwC Alumni' label. This happens as part of an overnight update. Each night the feed is updated with new users (new employees), deactivations and any changes to core info.

              • Re: A way to automatically deactivate a members account once they leave the company
                Nils Drews

                To explain Chris situation more in detail: There is custom code that exports the data as CSV from ED (written by developers internal to PwC) and shoots it over to Jive. Within Jive we (Jive PS) built a CSV importer plugin which consumes this CSV and re-enables all federated users it finds in the file and disables (not deletes) all other federated users. The code that changes the usernames to PwC Alumni is included in there as well, but this is just an additional part of the customizations in place.

                 

                This is essentially version 4 of the suggestions, an automated version for the user sync customized by Jive Professional Services.

                 

                Solution 2 will be interesting as well when you can react on a disabled user directly. The solution further up needs development effort on your end and this effort could as well be directed into an API call. The drawback here is that you need to make sure that these calls surely get out or you need some other way of ensuring that the two data stores are in sync. Also the performance is to be considered here. I would not sync all users of PwC on a nightly base like that, but if it's just a few hundred or in the low thousands you could do that as well.

                 

                Also with SSO enabled you only need an ADFS exposed which in turn will connect to LDAP (AD) internally. But LDAP (AD) itself does not need to be exposed and most likely security won't expose that without having done a really thorough analysis beforehand.

                 

                The easiest solution for an LDAP sync would be to utilize LDAPS and open up your firewall for only our IP addresses on just a specific port. This would be the preferred way we at Jive would run with LDAP. Alternatively within a hosted environment you could setup a VPN - but this is way more hassle than the before mentioned solution and does not give you much if any benefit.

                 

                Bye, Nils