Operator disablement policies does not disable dormant operators
On enabling the Operator disablement policies with a set of excluded users, dormant users (those who have never logged in) are not removed.
Steps to Reproduce
- Navigate to the Security Policies landing page.
- Set the Number of days of inactivity to 90.
- Add a set of users to the exclusion list.
- Run a custom report. Check the list of users with the OperatorIsDeactivated field filtered to blank or false. Check the operators who have never logged in. Hence, pyLastSignon is null.
- Ensure the Last SignOn field is filtered to < Last 90 Days.
- Restart the DisableDormantOperators agent.
The default DisableDormantOperators agent invokes the pzDisableDormantOperators activity to fetch all the operators whose pyLastSignon time is before the period of inactivity. The operators who have never logged in after creation are not considered. For these operators, the pyLastSignon is null, and hence these users are never disabled.
An enhancement request, FDBK-26535, is created for consideration by Pega Product Management.
Perform either of the following local-changes,
- Execute Pega API Help /users/disable API, or add an activity to execute /users/disable API on a list of operators that must be disabled.
a. Navigate to Resources > Pega API Help > Users.
b. Select POST /users/ disable.
c. In requestBody, add the model with the users to disable, as below:
"Message": "Security profile changed",
d. Run the model. This disables all the users given in the model.
- Create an activity using the below steps.
a. Disable the list of operators.
b. Invoke the /users/disable REST API with the list of operators that must be disabled. The list of operators to be disabled must be created by business logic and the page passed as formatted JSON. This disables the oeprators that are passed.
To execute the activity periodically, create an agent and invoke the activity in it.
- Create another agent similar to the DisableDormantOperators agent.
a. Save As the pzDisableDormantOperators to a different name and refer the new activity from the new agent.
b. Modify Step 2 of the new activity to include the below:
pyLastSignon = NULL
.pxCommitDateTime Is Less Than @addToDate(@CurrentDateTime(),local.daysOfInactivity,"","","")
As a result, the system has two agents, the default and the new agent.
The default agent disables operators with the pyLastSignon value and the custom agent manages operators who have never logged in.