Login Management

For the most up-to-date documentation, please visit docs.brix.ch

Advanced-UI

The "Login Management" plugin provides an overview of all active users, their last login and the number of logins. Furthermore, an expiration date can be set for users, who are not provisioned by an identity provider (e.g. AD, SCIM) and who are not protected. The table can also be exported as excel, pdf or csv.

The task will deactivate the above specified users in two cases:

  • The expiration date has been reached.
  • The user has not logged in or has never used the account after a configurable number of days. In addition, the user will be informed by email a configurable number of days before the deactivation date.

If configured, the task also sets an expiration date for the password after a configurable number of days for unprovisioned users.

Database View

Before installation of the extension, it is necessary to create the view login_management manually by executing the following command on your CELUM database.

MS SQL

CREATE VIEW login_management AS
    SELECT u.ims_id, u.ims_firstname, u.ims_lastname, u.ims_name, u.ims_email, u.ims_kind, u.ims_created,
    DATEDIFF(d, u.IMS_CREATED, GETDATE()) daysCreated, 
    MAX(s.ims_time) last_login,
    COUNT(case when s.ims_event_type = 1 then 1 else null end) logins,
    DATEDIFF(d, MAX(s.ims_time), GETDATE()) daysLastLogin,
    u.ims_authenticator_name,
    u.ims_expiration_date,
    u.ims_password_expiration_date
    FROM ims_authorizable u
    LEFT JOIN ims_stats s 
    ON s.ims_user_id = u.ims_id AND s.ims_event_type = 1
    WHERE u.ims_discriminator = 'usr' AND u.ims_deactivated = 0 AND u.ims_authenticator_name != 'api'
    GROUP BY  u.ims_id, u.ims_firstname, u.ims_lastname, u.ims_name, u.ims_email, u.ims_kind, u.ims_created, u.ims_authenticator_name, u.ims_expiration_date, u.ims_password_expiration_date

MySQL

CREATE VIEW login_management AS
    SELECT u.ims_id, u.ims_firstname, u.ims_lastname, u.ims_name, u.ims_email, u.ims_kind, u.ims_created,
    (TO_DAYS(CURDATE()) - TO_DAYS(u.ims_created)) daysCreated,
    MAX(s.ims_time) last_login, 
    COUNT(case when s.ims_event_type = 1 then 1 else null end) logins, 
    (TO_DAYS(CURDATE()) - TO_DAYS(MAX(s.ims_time))) daysLastLogin,
    u.ims_authenticator_name,
    u.ims_expiration_date,
    u.ims_password_expiration_date
    FROM ims_authorizable u
    LEFT JOIN ims_stats s 
    ON s.ims_user_id = u.ims_id AND s.ims_event_type = 1
    WHERE u.ims_discriminator = 'usr' AND u.ims_deactivated = 0 AND u.ims_authenticator_name != 'api'
    GROUP BY u.ims_id

Oracle

CREATE VIEW login_management AS
    SELECT u.ims_id, u.ims_firstname, u.ims_lastname, u.ims_name, u.ims_email, u.ims_kind, u.ims_created,
    (trunc(sysdate) - trunc(u.ims_created)) daysCreated, 
    MAX(s.ims_time) last_login, 
    COUNT(case when s.ims_event_type = 1 then 1 else null end) logins, 
    (trunc(sysdate) - trunc(max(s.ims_time))) daysLastLogin,
    u.ims_authenticator_name,
    u.ims_expiration_date,
    u.ims_password_expiration_date
    FROM ims_authorizable u
    LEFT OUTER JOIN ims_stats s
    ON s.ims_user_id = u.ims_id AND s.ims_event_type = 1
    WHERE u.ims_discriminator = 'usr' AND u.ims_deactivated = 0 AND u.ims_authenticator_name != 'api'
    GROUP BY  u.ims_id, u.ims_firstname, u.ims_lastname, u.ims_name, u.ims_email, u.ims_kind, u.ims_created, u.ims_authenticator_name, u.ims_expiration_date, u.ims_password_expiration_date

Properties

To be configured in {home}/appserver/conf/custom.properties.

loginManagement.license

type: String, required: yes, default: -

License key (delivered by brix IT Solutions)

loginManagement.visibleForGroup

type: List of long (comma-separated), required: no, default: -

Restrict the use of the plugin to this user group IDs (superadmins always see it in any case).

loginManagement.expireDays

type: long, required: no, default: 0

Defines how many days since the last login/creation date the user account will be deactivated. If not defined, nothing happens.

Super Administrators (including the API-User) will never be deactivated

loginManagement.reminderDays

type: long, required: no, default: 0

Defines how many days before the deactivation the user should receive a reminder mail. If not defined, nothing happens.

loginManagement.cronExpression

type: time (seconds minutes hours days months years, separated with "space"), required: no, default: 0 0 1 * * ? (each night at 01:00)

When and how often the task is running.

loginManagement.protectedUsers

type: list of UserIds (comma-separated), required: no, default: -, since: 1.1

Protected users are never deactivated, regardless of the settings above. Useful for technical users. Note that superadmins are never deactivated, so those don't need to be listed here.

loginManagement.pwExpires

type: boolean, required: no, default: false

Defines if a password expiration date should be set for unprovisioned users.

password.expirationDays

type: long, required: no, default: 30

Defines after how many days the password should expire.

Screenshots

menu

table

Compatibility Matrix

Login Management CELUM (min. version)
1.0.0 6.4 (tested up to 6.8)
1.1 6.4 (tested up to 6.8)
1.2 6.4 (tested up to 6.8)

Release Notes

1.0.0

Release: 2021-01-22

Initial Version

1.1

Release: 2021-06-29

Added protectedUsers

1.2

Release: 2021-07-26

  • Added restriction for provisioned users
  • added expiration date
  • added passwort expiration date
  • added export