Orphaned accounts are active accounts in applications, such as Active Directory, which do not have a corresponding account owner. Active accounts that don’t belong to a real user pose a potential security risk. These accounts may also result in unnecessary license fees. Virtually all of our customers have a need to be able to easily identify and manage orphaned accounts. In this post, we will explore how accounts can be orphaned and the tools available in OpenIAM to help you manage them.
There are several ways in which accounts get orphaned. These include:
While there are other cases, orphaned accounts are largely able to thrive in the absence of a comprehensive identity solution.
In OpenIAM connectors are used to integrate with applications. These connectors are used for provisioning, synchronization and reconciliation. Depending on your requirements, you can configure a synchronization or reconciliation task to run at regular intervals. If you are using synchronization, then you can enable the “Detect orphans” checkbox as shown below.
When a synchronization task is executed, data from the target application will be compared to the data in OpenIAM using the matching attributes shown in the configuration below. When a match fails, we can either:
If the “Detect orphan” checkbox is on, then an orphaned record will be created in OpenIAM.
In cases where a connector does not exist, then we can do the same using a feed from a CSV file.
There is one more case where an orphan will be created. In the user manager, we can see all the accounts linked to a user’s profile. It possible to unlink an account from a user. In this case, the unlinked account will also appear as an orphan.
In the user manager, there is a a menu option for “Orphan Management”. This interface can be used to view and manage orphans.
At some of our customers, they have a major cleanup effort ahead of them and they prefer to get a report which can be used to perform the cleanup. The report can be obtained using the blue download report button. For customers that are performing a manual cleaning of the target application, we can simply re-synch from the application. If an identity has been corrected and is no longer an orphan, it will automatically drop off from the orphan list.
In most cases, however, customers can use the interface shown above to perform one of the following operations on orphaned accounts: