question Best practice for deactivating users? in Developer forum

Best practice for deactivating users?

Suggy — Sun, 18 Feb 2024 13:08:11 GMT

Hello,

Best practice for deactivating users?

Should it be automated via AD / Azure? or should we use catalog item (user offboarding?)

How are you managing today?

Re: Best practice for deactivating users?

Sohail Khilji — Sun, 18 Feb 2024 13:15:22 GMT

Hi @Suggy ,

Usually users are managed by AD, on top of there Organization uses several ways to manage user.

Yes you can create catalog item to manage them and use workflow to automatically disable user.

Sometimes you can also use schedule job to deactivate the users if the 'last login' field is in last 6months or 1 year etc...

I hope this helps...

Re: Best practice for deactivating users?

Anand Kumar P — Sun, 18 Feb 2024 15:13:50 GMT

Hi @Suggy ,

-->If your company uses Active Directory or Azure, set up a way to automatically turn off users in ServiceNow when they’re deactivated in AD/Azure.
-->Create a regular check in ServiceNow to see who hasn’t used the system in a while and turn them off if needed.
--->Make a catalog form for when someone leaves the company so HR can easily request to turn off their access to ServiceNow.

Mark it as helpful and solution proposed if it serves your purpose.
Thanks,
Anand

Re: Best practice for deactivating users?

Dr Atul G- LNG — Sun, 18 Feb 2024 15:52:01 GMT

Hi @Suggy

Deactivation is very important step and need to do very carefully,

Before we add this on platform, we need to define the process.

- Make sure the account deactivation must be done via catalog item.

- Add approval in same

- Before deactivation, please check is user has owner of group/ reports / dashboards so that before deactivation the records transfer to new user.

- As part of offboarding , try to account locked instead of active = false.

Rest as been suggested by @Anand Kumar P @Sohail Khilji is also a good way.

Re: Best practice for deactivating users?

Suggy — Mon, 19 Feb 2024 05:25:38 GMT

Hi @Dr Atul G- LNG

You said "As part of offboarding , try to account locked instead of active = false." - Any rationale behind this?

Also what do you recommend? Asking this question because you mentioned both statements "Make sure the account deactivation must be done via catalog item" AND "Rest as been suggested by @Anand Kumar P @Sohail Khilji is also a good way." which are not the same.

What I leaning towards is your answer because that we also validating with the help of approvers + validations wrt group/ reports / dashboards/scheduled jobs etc if any

PS - I know the various ways we can deactivate, but I am looking for BEST practices here 🙂

Re: Best practice for deactivating users?

Dr Atul G- LNG — Mon, 19 Feb 2024 10:40:39 GMT

Hi @Suggy

Greetings!!

You said "As part of offboarding , try to account locked instead of active = false." - Any rationale behind this?

Yes, and this is I learn from experience, by making active - False, use name will not appear in any record for incident creation or report (may be need to raise incident /record after off boarding) so i said, account locked is good option.

Re: Best practice for deactivating users?

Robbie — Mon, 19 Feb 2024 10:55:58 GMT

Hi @Suggy,

Best Practice - If you use tooling for account activity such as AD or Azure, then all account activity should be managed through that source of truth, including deactivation otherwise you will get out of sync.

Whilst I understand that it is common to have a catalog item for offboarding, the account should not be deactivated at the completion of that item within ServiceNow.

The update should be sent to AD/Azure which in turn will update ServiceNow on the sync job. That is why such tooling is used to ensure we have a single source of truth.

To help others (or for me to help you more directly), please mark this response correct by clicking on Accept as Solution and/or Helpful.

Thanks, Robbie

Re: Best practice for deactivating users?

Suggy — Tue, 20 Feb 2024 04:56:39 GMT

Hi @Robbie Is that process widely being followed? I have seen customers where they dont allow writing back to AD. They always push the data to ServiceNow but dont allow to write back to them.

PS - I know the various ways as to how user can be deactivated, but I am looking for industry best practices, how its generally done.

Until now if you see all the above answers, its different answer by each person 🙂

Re: Best practice for deactivating users?

Aman Kumar S — Tue, 20 Feb 2024 05:59:28 GMT

Hi @Suggy

If you are maintaining user profiles, and whenever the offboarding kicks off and you are maintaining lifecycle management within the AD, then that can be a way to deactivate a user in ServiceNow.

Explicitly using catalog to deactivate a user seems reduntant, ideally it should have single source of truth, ie your AD.

Re: Best practice for deactivating users?

Robbie — Tue, 20 Feb 2024 09:05:39 GMT

Hi @Suggy - It is interesting to see the different responses.

I'll just say this and let you and others decide - what's the point of having a single source of truth such as AD or Okta etc if it's not used? How do you know which system is correct?

One system should control all systems in an ideal world (and is best practice), but granted, this is not always followed for various reasons.

To help others (or for me to help you more directly), please mark this response correct by clicking on Accept as Solution and/or Helpful.

Thanks, Robbie

Re: Best practice for deactivating users?

Robbie — Thu, 22 Feb 2024 09:42:19 GMT

Hi @Suggy - It is interesting to see the different responses.

How are you getting on? I'm struggling to see an accurate and easily maintainable solution without implementing a single source of truth.

I'll just say this and let you and others decide - what's the point of having a single source of truth such as AD or Okta etc if it's not used? How do you know which system is correct?

One system should control all systems in an ideal world (and is best practice), but granted, this is not always followed for various reasons.

To help others (or for me to help you more directly), please mark this response correct by clicking on Accept as Solution and/or Helpful.

Thanks, Robbie