How do you handle Inactive Users and Reactivations?

Steven Young · ‎08-24-2018

Hey Folks,

I've got kind of a weird question, but most of you will probably find it interesting.

This is about Active / Inactive & Locked out users.

So as you're probably aware, there is a Business Rule that prevents standard users from seeing deactivated users. So how do you guys handle reactivation of accounts?

So here's the background.
We are using ServiceNow for Managers to submit deactivation requests, which we have an integration with IDM/RSA that will deactivate the users in Active Directory, remove them from all groups, and do a few other things such as move them from the Active Users OU in AD to a deactivated users OU in AD. At this point, we also deactivate in ServiceNow.

So lets say that user gets rehired, (or if it was a contractor, that contract gets picked back up again in 2 weeks), Manager needs to submit a reactivation request.

Also, our Contracted users have a 1 year expiration date. So their accounts expire 1 year from the start date. Occasionally, an account expires and becomes inactive, but the account needs to be extended.

If they are Inactive in ServiceNow, that manager cant see their User Account, in order to submit a reactivation request.

What we were thinking about is creating a deactivated users table and have a few BR's running that when they get deactivated from the users table, add certain into to the deactivated users table, because this other table, end users can see the users on it.

We dont want to turn off the "User Query" business rule, because then you can see all deactivated users across the platform.

So how do you all handle your deactivated users, and how you reactivate them?

Brad Tilton · ‎08-24-2018

I think your second table idea would work.

Another thing you could do would be to new users and reactivations the same on the front end where the manager is concerned. They would fill out a new user request and give you the necessary info to create the new user, then on the back end your workflow could either match it to an existing user or create a new one.

Steven Young · ‎08-24-2018

Thanks Brad,

Part of the problem is that we have to purge certain data when an account is deactivated, so we dont have the unique identifiers to say it's the same person.

Sometimes the users/managers know the userID of the person. most of the time they dont.

keith_schaefer · ‎08-24-2018

Is the main issue the managers not being able to see inactive users? You mentioned the 'User Query' business rule. You may be able to just edit the conditions to allow managers to also return inactive users. Or create a copy of the BR and edit the conditions for managers instead of admin.

Also worth noting is 'locked out' remains true when active is updated to true. So for any re-activated user, their [sys_user] record must explicitly uncheck the locked out field to enable them to log back into the instance.

Steven Young · ‎08-24-2018

Hey Keith,

It's not always managers that need to submit reactivation requests. Sometimes its secretaries, sometimes it's managers, sometimes, other people.

The issue is that the OOB BR puts a limit on it. We're trying not to customize too much so i'm looking to find out how other people do deactivations/reactivations. This question is not so much based on solutions for me as to what other people do.

and yes i know about the locked out. thanks.