Best practice for deactivating users?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2024 05:08 AM
Hello,
Best practice for deactivating users?
Should it be automated via AD / Azure? or should we use catalog item (user offboarding?)
How are you managing today?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2024 02:40 AM
Hi @Suggy
Greetings!!
You said "As part of offboarding , try to account locked instead of active = false." - Any rationale behind this?
Yes, and this is I learn from experience, by making active - False, use name will not appear in any record for incident creation or report (may be need to raise incident /record after off boarding) so i said, account locked is good option.
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.
Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]
****************************************************************************************************************
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2024 02:55 AM
Hi @Suggy,
Best Practice - If you use tooling for account activity such as AD or Azure, then all account activity should be managed through that source of truth, including deactivation otherwise you will get out of sync.
Whilst I understand that it is common to have a catalog item for offboarding, the account should not be deactivated at the completion of that item within ServiceNow.
The update should be sent to AD/Azure which in turn will update ServiceNow on the sync job. That is why such tooling is used to ensure we have a single source of truth.
To help others (or for me to help you more directly), please mark this response correct by clicking on Accept as Solution and/or Helpful.
Thanks, Robbie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2024 08:56 PM
Hi @Robbie Is that process widely being followed? I have seen customers where they dont allow writing back to AD. They always push the data to ServiceNow but dont allow to write back to them.
PS - I know the various ways as to how user can be deactivated, but I am looking for industry best practices, how its generally done.
Until now if you see all the above answers, its different answer by each person 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-20-2024 01:05 AM
Hi @Suggy - It is interesting to see the different responses.
I'll just say this and let you and others decide - what's the point of having a single source of truth such as AD or Okta etc if it's not used? How do you know which system is correct?
One system should control all systems in an ideal world (and is best practice), but granted, this is not always followed for various reasons.
To help others (or for me to help you more directly), please mark this response correct by clicking on Accept as Solution and/or Helpful.
Thanks, Robbie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2024 09:59 PM
Hi @Suggy
If you are maintaining user profiles, and whenever the offboarding kicks off and you are maintaining lifecycle management within the AD, then that can be a way to deactivate a user in ServiceNow.
Explicitly using catalog to deactivate a user seems reduntant, ideally it should have single source of truth, ie your AD.
Aman Kumar
