Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The Idle Account Data Security Auditor is used to identify accounts that have been idle (that is, the end user has not authenticated) for longer than a specified length of time. This validator may only be used for accounts whose password policy has either the last login time or recent login history feature enabled. Accounts associated with a password policy in which neither of those features is enabled will be ignored.
The Idle Account Data Security Auditor component inherits from the Data Security Auditor
The properties supported by this managed object are as follows:
Basic Properties: | Advanced Properties: |
---|---|
enabled | None |
report-file | |
include-attribute | |
audit-backend | |
audit-severity | |
idle-account-warning-interval | |
idle-account-error-interval | |
never-logged-in-account-warning-interval | |
never-logged-in-account-error-interval |
Description | Indicates whether the Data Security Auditor is enabled for use. |
Default Value | true |
Allowed Values | true false |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the name of the detailed report file. |
Default Value | idle-accounts.ldif |
Allowed Values | A string |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the attributes from the audited entries that should be included detailed reports. By default, no attributes are included. This property allows the administrator to specify which attributes from the audited entries will be included in detailed reports. Note that reported entries will use a different object class than original entry. If you wish to include the original object class, you may specify objectClass in this property. The report entry will include the original objectClass values in the ds-data-security-audit-objectclass attribute. |
Default Value | None |
Allowed Values | The name or OID of an attribute type defined in the server schema. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Specifies which backends the data security auditor may be applied to. By default, the data security auditors will audit entries in all backend types that support data auditing (Local DB, LDIF, and Config File Handler). This property allows the administrator to specify which backends the data security auditor may be applied to. By default, the data security auditors will audit entries in all backend types that support data auditing (Local DB, LDIF, and Config File Handler). |
Default Value | None |
Allowed Values | The DN of any Backend. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the severity of events to include in the report. This property allows the administrator to specify the severity of events to include in the report. Severity can be one of error, warning or verbose. See the description of the Data Security Auditor to see what events are reported at each severity level. |
Default Value | notice |
Allowed Values | error - Only the most important security risks are identified. warning - Includes all events from the error severity level as well as events that are less severe or may present issues in the near future. notice - Includes all events from the error and warning levels as well as events that do not necessarily indicate problems but are things that administrators may want to take note of. verbose - Includes all events from the error, warning, and notice levels as well as information considered less significant or with only marginal security risk. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | The length of time to use as the warning interval for idle accounts. If the length of time since a user last authenticated is greater than the warning interval but less than the error interval (or if it is greater than the warning interval and no error interval is defined), then a warning will be generated for that account. |
Default Value | None |
Allowed Values | A duration. Lower limit is 0 milliseconds. |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | The length of time to use as the error interval for idle accounts. If the length of time since a user last authenticated is greater than the error interval, then an error will be generated for that account. If no error interval is defined, then only the warning interval will be used. |
Default Value | None |
Allowed Values | A duration. Lower limit is 0 milliseconds. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
never-logged-in-account-warning-interval
Description | The length of time to use as the warning interval for accounts that do not appear to have authenticated. If this is not specified, then the idle account warning interval will be used. |
Default Value | None |
Allowed Values | A duration. Lower limit is 0 milliseconds. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
never-logged-in-account-error-interval
Description | The length of time to use as the error interval for accounts that do not appear to have authenticated. If this is not specified, then the never-logged-in warning interval will be used. The idle account warning and error intervals will be used if no never-logged-in interval is configured. |
Default Value | None |
Allowed Values | A duration. Lower limit is 0 milliseconds. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
To list the configured Data Security Auditors:
dsconfig list-data-security-auditors [--property {propertyName}] ...
To view the configuration for an existing Data Security Auditor:
dsconfig get-data-security-auditor-prop --auditor-name {name} [--tab-delimited] [--script-friendly] [--property {propertyName}] ...
To update the configuration for an existing Data Security Auditor:
dsconfig set-data-security-auditor-prop --auditor-name {name} (--set|--add|--remove) {propertyName}:{propertyValue} [(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Idle Account Data Security Auditor:
dsconfig create-data-security-auditor --auditor-name {name} --type idle-account --set idle-account-warning-interval:{propertyValue} [--set {propertyName}:{propertyValue}] ...
To delete an existing Data Security Auditor:
dsconfig delete-data-security-auditor --auditor-name {name}