Re: Dormant database user accounts

From: Jithin Sarath <jithinsarath_at_gmail.com>
Date: Fri, 13 Mar 2015 15:43:48 -0400
Message-ID: <CACoevcq8pQ+mJd1mDVunYjT77czve7huDcOFFNvkHLO0-XrxEA_at_mail.gmail.com>



What we use is a mix of profiles and custom code.

We have all human users assigned to a specific profile. Other accounts, which are used by applications / interfaces etc are assigned to separate profiles. The human user profile is set to expire password every 90 days.

We then have some custom code, which runs to see if a user accounts is expired and has been in that state for 45 days, we lock it and generate an email to the user (the username and email is linked in a custom table). There is another process which picked up accounts locked for over 90 days and cleans them up.

--Jithin

On Fri, Mar 13, 2015 at 3:38 PM, Marcos Colmenares H. < mcolmenares_at_newtechsistemas.com.ve> wrote:

> Im with mark on this one ... i would start sending emails about account
> closure .. then instead of deleting them i would change the passes for a
> month or two... once you change the pass people will either ask why its not
> working or its just not needed ...
>
> i would also document all the actual account data (grants and the such)
> and keep it in a document just in case you need to re-create it.
>
>
>
>
> Saludos Cordiales,
>
> Marcos Colmenares H
>
> --
>
> 2015-03-13 14:52 GMT-04:30 Powell, Mark <mark.powell2_at_hp.com>:
>
> If you are going to notify the user I think you should send the email X
>> days prior to deleting the account.
>>
>>
>>
>>
>>
>> *From:* oracle-l-bounce_at_freelists.org [mailto:
>> oracle-l-bounce_at_freelists.org] *On Behalf Of *Andrew Kerber
>> *Sent:* Friday, March 13, 2015 11:06 AM
>> *To:* lkemnitz_at_uwsa.edu
>> *Cc:* oracle-l_at_freelists.org
>> *Subject:* Re: Dormant database user accounts
>>
>>
>>
>> You need to be a little cautions about this. We have accounts that own
>> objects that we never log in to. But the objects are critical.
>>
>>
>>
>> On Thu, Mar 12, 2015 at 3:05 PM, Leroy Kemnitz <lkemnitz_at_uwsa.edu> wrote:
>>
>> All -
>>
>>
>>
>> We are currently having a discussion in house about user accounts in the
>> databases that are considered 'dormant' or unused. I want to set a limit
>> of one year. If after one year, the account has not been used at all, then
>> I want to delete the account and send an email to the last known email
>> address informing the customer. How do other places handle this
>> situation? Do you lock the accounts and then notify customers - then
>> delete if no response in 2 weeks? What time limits are other people
>> using? I see some people are doing 90 days of not logging in flags an
>> account as 'dormant'.
>>
>>
>>
>> LeRoy
>>
>>
>>
>>
>>
>>
>> --
>>
>> Andrew W. Kerber
>>
>> 'If at first you dont succeed, dont take up skydiving.'
>>
>
>

--
http://www.freelists.org/webpage/oracle-l
Received on Fri Mar 13 2015 - 20:43:48 CET

Original text of this message