Skip to main content

Configure Automated Directory Cleanup

Automated directory cleanup configuration establishes the workflows, permissions, approval roles, and account store settings required to systematically identify, stage, and retire stale user accounts across managed directories.

Configuration Steps

StepDetails
1 - Create an EmpowerID Person accountPerson account used by the system to initiate workflows for directory cleanup
2 - Grant access to directory cleanup workflowsGrant the person account Initiator access to SubmitAccTerminationsApproval and TerminateAccountAdvanced workflows
3 - Create the approval Management RoleManagement Role containing people who receive notification of pending terminations, including managers of users with accounts marked for deletion and administrative users with authority to approve disabling and termination of stale accounts
4 - Review and configure cleanup SetsReview default SetGroups containing Sets (SQL queries) specifying criteria for accounts classified as stale: AccountGetPendingTerminationBeforeProcessing, AccountGetPendingTerminationNotProcessed, and AccountGetPendingTerminationProcessed
5 - Configure workflow parametersConfigure parameters for TerminateAccountAdvanced and SubmitAccountTerminations workflows, including AdminManagementRoleGuids, notification templates, timing settings, and behavioral options
6 - Configure resource system parametersConfigure directory cleanup parameters for each resource system implementing automated directory cleanup
7 - Configure account store settingsConfigure directory cleanup settings for each account store implementing automated directory cleanup

Step 1 - Create a Person Account

  1. Navigate to Identity AdministrationPeople.
  2. Click Create Person Simple Mode.
  3. In the Create Person Request form, configure the following:
    • First Name and Last Name – Enter names identifying the account purpose (e.g., "Terminate AccInitiator")
    • eMail – Optional
    • Personal Email – Optional
    • Primary Role and Location:
      • Click Select a Role and Location
      • Search for and select the appropriate Business Role
      • Click the Location tab
      • Search for and select the EmpowerID Location
      • Click Select
    • Manager – Optional
    • Comments or Justification – Describe the account purpose
  4. Click Save.

Step 2 - Grant Workflow Access

Grant SubmitAccTerminationsApproval Access

  1. Navigate to Object AdministrationWorkflows.
  2. Search for SubmitAccTerminationsApproval and click the Display Name link.
  3. On the Workflow Details page, expand the Who Has Access accordion.
  4. Configure workflow access:
    • Select Person from the To which type of actor do you wish to assign access? dropdown
    • Click Add New Assignee
    • Search for and select the Person account created above
    • Select Initiator as the Access Level
    • Click Save
  5. Verify the Person account appears in the Who Has Access grid.

Grant TerminateAccountAdvanced Access

  1. Click the Find Workflows breadcrumb at the top of the page.
  2. Search for TerminateAccountAdvanced and click the Display Name link.
  3. On the Workflow Details page, expand the Who Has Access accordion.
  4. Configure workflow access:
    • Select Person from the To which type of actor do you wish to assign access? dropdown
    • Click Add New Assignee
    • Search for and select the Person account created above
    • Select Initiator as the Access Level
    • Click Save

Step 3 - Create Approval Management Role

  1. Navigate to Role ManagementManagement Roles.
  2. Click Create Management Role.
  3. In the Management Role Details form, configure the following:
    • Name – Enter the role name
    • Display Name – Enter the display name
    • Role Type – Select Generic
    • Parent Definition – Select Blank Management Role Definition
    • Creation Location – Click Select a Location, search for and select the creation location
    • Publish in IT Shop – Enable to make the role requestable; otherwise disable
    • High Security – Leave disabled
    • Description – Describe the role purpose
    • Instructions – Optional
    • eMail – Optional
  4. Click Save.
  5. After EmpowerID creates the role, click the Advanced tab.
  6. Expand the ADVANCED accordion.
  7. Locate and copy the Management Role GUID for use in resource system configuration.

Step 4 - Review and Configure SetGroups

EmpowerID provides default SetGroups with SQL queries defining staleness criteria. These SetGroups can be used as provided, modified to meet organizational requirements, or used as templates for additional SetGroups supporting multiple directories.

Review AccountGetPendingTerminationBeforeProcessing

  1. Navigate to Role ManagementQuery-Based Collections (SetGroup).
  2. From the Queries (Sets) tab, search for AccountGetPendingTerminationBeforeProcessing and click the Name link.
  3. Review the query in the Filter section.
  4. If the filter meets organizational staleness criteria, proceed to the next SetGroup; otherwise, click Edit, modify the query, and save.

Review AccountGetPendingTerminationNotProcessed

  1. Return to the Find SetGroup page.
  2. Search for AccountGetPendingTerminationNotProcessed and click the Name link.
  3. Review the query in the Filter section.
  4. If the filter meets organizational requirements, proceed to the next SetGroup; otherwise, click Edit, modify the query, and save.

Review AccountGetPendingTerminationProcessed

  1. Return to the Find SetGroup page.
  2. Search for AccountGetPendingTerminationProcessed and click the Name link.
  3. Review the query in the Filter section.
  4. If the filter meets organizational requirements, proceed to workflow configuration; otherwise, click Edit, modify the query, and save.

Step 5 - Configure Workflow Parameters

Configure SubmitAccountTerminations Workflow Parameters

  1. Navigate to Object AdministrationWorkflows.

  2. Search for SubmitAccountTerminations and click the Display Name link.

  3. On the Workflow Details page, expand the Request Workflow Parameters accordion.

  4. Edit each parameter value as needed:

    • AdminManagementRoleGuids – GUID of the approval Management Role created above
    • DeleteAccountDaysAfterMove – Days after staging before account deletion
    • DisableAccountOnMove – Boolean specifying whether to disable accounts when moved to staging OU
    • EmailTemplateAdminMoveNotification – Email template for admin move notifications (use default unless custom template exists)
    • EmailTemplateAdminPreMoveNotification – Email template for admin pre-move notifications (use default unless custom template exists)
    • EmailTemplateManagerMoveNotification – Email template for manager move notifications (use default unless custom template exists)
    • EmailTemplateManagerPreMoveNotification – Email template for manager pre-move notifications (use default unless custom template exists)
    • EmailDaysXBeforeMove – Days before account move to send notifications
    • MoveAccountXDaysDisabled – Days an account must be disabled before moving to staging OU
    • MoveAccountXDaysNoLogin – Days without login before account becomes eligible for staging

Configure TerminateAccountAdvanced Workflow Parameters

  1. Navigate to Object AdministrationWorkflows.

  2. Search for TerminateAccountAdvanced and click the Display Name link.

  3. On the Workflow Details page, expand the Request Workflow Parameters accordion.

  4. Edit each parameter value as needed:

    • AdminManagementRoleGuids – GUID of the approval Management Role
    • EmailTemplateAdminDeletionNotification – Email template for admin deletion notifications (use default unless custom template exists)
    • EmailTemplateManagerDeletionNotification – Email template for manager deletion notifications (use default unless custom template exists)
    • NotifyAdminManagementRole – Set to true to send notifications to Management Role members
    • NotifyManager – Set to true to send notifications to managers of affected users

Step 6 - Configure Resource System Parameters

  1. Navigate to AdminApplications and DirectoriesAccount Stores and Systems.

  2. Select the Resource Systems tab.

  3. Search for the resource system of the target account store and click the Display Name link.

  4. Click the Resource System tab.

  5. Expand the Configuration Parameters accordion.

  6. Click Edit for each parameter and enter the appropriate values:

    • ApprovalApproverManagementRoleGUID – GUID of the approval Management Role
    • SubmitAccountTerminationsApprovalInitiatorPersonID – Person ID of the SubmitAccountTerminationsApproval workflow initiator
    • TaskApprovalPendingStatus – Leave set to false (set automatically by Submit Account Terminations workflow)
    • TerminationAccountAdvancedInitiatorPersonID – Person ID of the TerminateAccountAdvanced workflow initiator
    • TerminationBeforeProcessingSetGroupGUID – GUID of the AccountGetPendingTerminationBeforeProcessing SetGroup
    • TerminationNotProcessedSetGroupGUID – GUID of the AccountGetPendingTerminationNotProcessed SetGroup
    • TerminationProcessedSetGroupGUID – GUID of the AccountGetPendingTerminationProcessed SetGroup
    • ThresholdOnAccounts – Maximum number of accounts processed simultaneously

  7. Save changes for each parameter.

Step 7 - Configure Account Store Settings

  1. Navigate to AdminApplications and DirectoriesAccount Stores and Systems.
  2. Select the Account Stores tab.
  3. Search for the target account store and click the Account Store link.
  4. From the Account Store tab, click the Edit link (pencil icon) to enable Edit mode.
  5. Scroll to the Directory Cleanup Settings section and configure:
    • Directory Clean Up Enabled – Select to enable automated directory cleanup for the account store
    • Report Only Mode (No Changes) – Select to generate reports without executing cleanup actions (all matching accounts are set to Termination Pending)
    • OU to Move Stale Accounts – Click Select an External Location, search for and select the organizational unit for staging accounts (Active Directory and LDAP account stores only)
  6. Click Save.

After completing the configuration, the Submit Account Terminations permanent workflow claims account stores where Directory Clean Up is enabled. The workflow processes accounts based on the SetGroup criteria, threshold settings, and notification parameters configured above. When the number of accounts reaches the specified threshold, the Submit Account Terminations Approval workflow is invoked to route approval tasks to the designated Management Role.