Revoking users with the ILST

The ILST config file has one primary element for revoking members from your digital workplace, <RevokeIfNotInSearch> and three additional parameters: that modify its behavior:

  • <RevokeAdmins>
  • <RevokeNonDelegateUsers>
  • <RevokeUsersNotManagedByLdap>

By default, each of these elements has a value of  false and must be set to true to be enabled.

Sections in this article:    

Revoke elements

User accounts are only revoked when <RevokeIfNotInSearch> is set to true. Generally, this will result in users who are not returned by the <UserAccount><SearchString> being revoked. However, certain types of user accounts will not be revoked unless an additional revoke element is also set to true.

These additional revoke elements are :

  • <RevokeAdmins>: Allows the ILST to revoke workplace administrator user accounts. Enter  true if you want to revoke workplace administrator user accounts and regular user accounts.
  • <RevokeNonDelegateUsers>: Allows the ILST to revoke users who have only authenticated to the digital workplace with Igloo authentication. Enter true if you want to revoke users who have never authenticated to your digital workplace with SSO or LDAP.
  • <RevokeUsersNotManagedByLdap>: Allows the ILST to revoke users who have not been managed by the tool. Enter true if you want to revoke users who are not flagged as being managed by the ILST.

Configuration A: Revoke nobody

Parameters:

<RevokeAdmins>false</RevokeAdmins> 
<RevokeIfNotInSearch>false</RevokeIfNotInSearch>
<RevokeNonDelegateUsers>false</RevokeNonDelegateUsers>
<RevokeUsersNotManagedByLdap>false</RevokeUsersNotManagedByLdap>

Revokes:

  • Nobody

Configuration B: Revoke managed non-administrator accounts

Parameters:

<RevokeAdmins>false</RevokeAdmins>
<RevokeIfNotInSearch>true</RevokeIfNotInSearch>
<RevokeNonDelegateUsers>false</RevokeNonDelegateUsers>
<RevokeUsersNotManagedByLdap>false</RevokeUsersNotManagedByLdap>

Revokes user accounts that meet all of the following conditions:

  • Not a workplace administrator user account
  • Not returned by the <UserAccount> <SearchString>
  • Have authenticated via SSO or LDAP authentication
  • Flagged as being managed by the LDAP-supported data source

Configuration C: Revoke non-administrator accounts

Parameters:

<RevokeAdmins>false</RevokeAdmins>
<RevokeIfNotInSearch>true</RevokeIfNotInSearch>
<RevokeNonDelegateUsers>true</RevokeNonDelegateUsers>
<RevokeUsersNotManagedByLdap>true</RevokeUsersNotManagedByLdap>

Revokes user accounts that meet all of the following conditions:

  • Not a workplace administrator user account
  • Not returned by the <UserAccount><SearchString>

Configuration D: Revoke any account

Parameters:

<RevokeAdmins>true</RevokeAdmins>
<RevokeIfNotInSearch>true</RevokeIfNotInSearch>
<RevokeNonDelegateUsers>true</RevokeNonDelegateUsers>
<RevokeUsersNotManagedByLdap>true</RevokeUsersNotManagedByLdap>

Revokes user accounts that meet all of the following conditions:

  • Not returned by the <UserAccount><SearchString>

Configuration E: Revoke non-delegated non-administrator accounts

Parameters:

<RevokeAdmins>false</RevokeAdmins>
<RevokeIfNotInSearch>true</RevokeIfNotInSearch>
<RevokeNonDelegateUsers>true</RevokeNonDelegateUsers>
<RevokeUsersNotManagedByLdap>false</RevokeUsersNotManagedByLdap>

Revokes user accounts that meet all of the following conditions:

  • Not a workplace administrator user account
  • Not returned by the <UserAccount><SearchString>
  • Have only authenticated with Igloo Authentication
  • Flagged as being managed by the LDAP-supported data source