4.5 Configuring the Identity De-Provisioning Control

There are additional configuration steps required to implement the Identity De-Provisioning Control.

4.5.1 Enabling Auditing on All Endpoint Systems

You must enable each endpoint system to audit the desired user events. This process defines which events are sent to Sentinel to track. The endpoint systems are the systems that are part of the Identity Manager solution. For example, eDirectory or Active Directory are endpoint systems.

Configuration steps for each endpoint system are different. For example, in eDirectory you set the events to track on the properties of each object. You need to track events that are related to user authentication, such as, when a login or logout occurs. Figure 4-1 is an example of enabling events on the server object.

Figure 4-1 Enabling Audit Events on eDirectory

4.5.2 Configuring the Unauthorized Access by Terminated Employee Rule

This rule detects unauthorized access to enterprise resources. The rule contains two actions that need to be configured for your enterprise.

Configuring the Alert Unauthorized Access by Terminated Employee by E-mail Action

The correct alias account that receives the e-mail alerts must be configured.

  1. In the Sentinel Control Center, select Tools > Action Manager.

  2. Select Alert unauthorized access by terminated employee by e-mail, then click View/Edit.

    Editing the e-mail action

  3. Add the correct alias in the To field, then click Save.

Configuring the Report Unauthorized Access by Terminated Employee Action

The Sentinel workflow that reports unauthorized access must contain a valid value for the person that receives the reports.

  1. In the Sentinel Control Center, select Tools > Actions Manager.

  2. Select Report unauthorized access by terminated employee, then click View/Edit.

    Editing the report alert

  3. Specify the correct user name in the Responsible field, then click Save.