top of page

MIDSHIPS

  • Yuxiang Lin

Optimise Your Directory Service

Keep the User Store Clean

Over time, dormant user profiles and historical device profiles can accumulate in the user store (directory service), resulting in a significant portion of unused data. This paper presents a simple solution to keep the user store clean by maintaining only active user profiles and device profiles. This solution includes a directory service clean-up process and alterations to the Access Management (AM) Authentication Tree to manage dormant user journeys. Consequently, organisations can lower their license costs and optimise the user store's size (which is important for speed of backup & restore).


Solution

DS Clean Up Process

The DS clean up process involves the below key activities:


  1. A periodic CronJob triggers a dormant profile batch service to carryout filtered LDIF search on the user store.

  2. From the search results, the dormant profile batch service determines the dormant user profiles and archive them by posting to the profile archival service. User credentials such as the password hash do not need to be archived

  3. The dormant profile batch service then carry out LDIF delete on the user store to clean up on the inactive/dormant user profiles and device profile


To carryout filtered LDIF search based on timestamp and profile status require certain configurations on the directory service.


Time based filtering on LDIF search : LDAP search :: ForgeRock Directory Services  

Big index for attributes like profile status: Index types :: ForgeRock Directory Services 


The DS clean up process can be handled by IDM (or cron job with bash scripts) via configuration of scheduled script jobs and the archival of the dormant user profile can be achieved via configuring DB connector and mapping. Therefore If the organisation uses IDM , dormant profile batch service and profile archival service can be replaced by IDM.


AM Authentication Tree Changes

Key changes on AM authentications trees to handle dormant users:


  • Authentication Tree : During authentication flow, when AM could not find the userID in the user store, AM should query the profile archival service to determine if this user is a archived dormant user. If this user is a archived dormant user, AM should facilitate the user to the reset password flow.

  • Reset Password Tree : During reset password flow, when AM could not find the user profile in the user store, AM should query the profile archival service to determine if this user is a archived dormant user. If this user is a archived dormant user, AM should migrate the profile from the database to the user store.


Similar to the DS clean up process, if the organisation uses IDM , profile archival service can be replaced by IDM and AM can migrate the archived dormant user profile from the database to the user store by using IDM’s system object APIs.


Other DS Optimisations

At Midships we can also help you optimise your onboarding/registration processes to limit the creation of user accounts until after eKYC has been completed and thereby further limiting DS to holding verified active user accounts.


Are you interested?

If you would like to learn more, please contact sales@midships.io

23 views0 comments

Comments


bottom of page