We need a way to deactivate a user without deleting them or removing all their permissions. We need to keep them existing for an audit trail.
by: Doug G. | over a year ago | 6 - General Enhancements
by: Doug G. | over a year ago | 6 - General Enhancements
We need a way to deactivate a user without deleting them or removing all their permissions. We need to keep them existing for an audit trail.
by: Doug G. | over a year ago | 6 - General Enhancements
Comments
Create a "no access" security group and assign it, then the audit trail will tell you what their previous security group assignment was. Knowing what their security group was isn't as foolproof for audits as you may think, since the setting for the security group can be changed at any time. That said, I do like your idea of inactivating users - could be assigned to IT to do as part of their checklist when an employee leaves.
In addition, you should set the Use Application Role and deselect the Read Access options to further secure the user account. If you have deployed Windows Authentication then you should have all the security layers covered.
Would something like this accomplish what you are looking for?
1) Add an Active attribute for users where the default is active.
2) Modify login screen to reject login if the Active attribute for the user is false.
3) Modify the users screen to maintain the Active status. A permission is required to change the active status of a user. A user is active or inactive regardless of any other user values or settings.
4) Changes to the Active flag are logged.
5) User list gets filter for user Active status.
This is probably a simplistic approach, but the simpler it is the more likely it could be done. Any opinions about the pros or cons of this user inactivation methodology?