This solution requires Identity Manager and Sentinel™ or Sentinel RD.
When an identity attribute is changed by an administrator, not by Identity Manager, Sentinel logs the event and then takes the appropriate action. For example, the action can be an e-mail, an alert, or the rogue administrator’s account is terminated. This solution not only detects the rogue activity, it detects who performed the activity and then takes immediate action against the account.
This solution uses the SOAP integrator feature of Sentinel to integrate with the User Application. The SOAP integrator allows Sentinel to call the SOAP endpoints provided by the User Application to initiate User Application workflows. These workflows are usually stored in the User Application's Provisioning Request Definitions stored under the Directory Abstraction Layer (DAL).
The Rogue_Administration_Activity workflow is called from Sentinel, sets the users’ LoginDisabled attribute equal to True, and sends the Default Approver (user or group) a workflow item to notify them that the user might be attempting illicit network activity.
The following sections outline the steps required to implement this scenario.