Zombies are everywhere; they lurk in existing and new systems. These zombies don’t lust after our blood or consume our flesh. It is much worse than that. These zombies can cause companies to fail audits, they can be used for unauthorized access, and worst of all they can cost companies money. Technically we are talking about lifeless accounts that exist on systems and no one knows who they belong to. To us on “Team ZAP” or the Identity Management team these accounts are known as ‘Orphan Accounts’. I don’t know about you, but identifying and removing Zombies just sounds more fun.
Not the kind of Zombies you’re interested in? If you are wondering for how to prepare for the basic flesh eating zombie apocalypse, visit our friends at the Centers for Disease Control.
Picture from: http://emergency.cdc.gov/socialmedia/zombies_blog.asp
If you want information on how to deal with Zombie or Orphan Accounts then keep reading. For full disclosure, dealing with Zombies is not for the faint of heart and I am not saying you wouldn’t get your hair mussed. Here at PathMaker Group we don’t mind getting a bit dirty when we deal with Zombies or Orphan Accounts in this proven approach:
- Analyze the accounts on the system to determine identifying characteristics.
- Install an Identity Management system such as IBM Tivoli Identity Manager (ITIM).
- Import the Employees and Non-Employees into the Identity Management System as Persons using a reliable source (HR or Enterprise Directory.
- Set up the managed resources as Services. These managed resources can be LDAP repository, Active Directory Service, UNIX servers and a host of other resources as a managed service in the Identity Management system.
- Create service specific adoption polices that will match person attributes to account attributes. The accounts on the managed service will automatically be assigned to the person who matches the identity policy.
- Reconcile the accounts with the Identity Management system and watch the accounts get automatically adopted by the owners. The accounts that don’t get adopted are the potential orphans or the dreaded “Zombies”.
Now that a majority of the accounts have been adopted or assigned to the correct owner you can analyze the remaining accounts and identify the true Zombie accounts in the system. The accounts that were not adopted could be the remnant accounts of past employees (Zombies), test accounts that were supposed to be removed (Zombies), valid accounts that matched more than one person or is missing some pertinent data (Not Zombies) or even actual system accounts that are needed for day to day operations (Not Zombies).
The PathMaker Group team has proven process to help identity the unused and unneeded accounts and remove them from the system. We can set up automated processing using Life Cycle Rules, Life Cycle Operations and Tivoli Directory Integrator (TDI) to weed out the zombies. Processes can be set up to suspend the accounts and then after a period of time removed from the system. The classic zombie head shot. These Zombies won’t bother you again.
An added bonus is you won’t have to fear audits. You have just eliminated a bunch of Zombies. How bad can an audit be? Once the Zombies (Orphan Accounts) have been identified and removed those Audits won’t seem so scary. With the ITIM Out of the Box reporting you can prove within minutes that all accounts are valid. Once it is all done you have bragging rights that you’re a Zombie hunter and have a Zombie free system. If you’re lucky you might get the coveted PathMaker Group “Team ZAP” (Zombie Attrition Process) T-Shirt. Full disclosure here, we don’t actually have a ZAP T-shirt but if we help you I am sure something could be worked out. Contact us for more information!