3.8 Restricting inactive users

This feature allows you to restrict the access to administrative MyID features for users who have not logged in for a set amount of time. When they are restricted, they are allowed only those features provided by the Cardholder role, and all other roles that the user has are restricted. This affects their access to all MyID applications: MyID Desktop, the Self-Service App, and so on; it also affects access to the MyID Core API.

Important: By default, the Cardholder role has logon enabled using smart cards only. If you use a different logon mechanism (for example, passphrases or Integrated Windows Logon) and this is enabled using a different role, when restricted you are unable to log on to MyID.

Note: This feature counts a logon as any logon to a MyID client that makes a change to the database; note that some operations (for example, changing or resetting a PIN in the Self-Service App) are completely local and do not affect the database.

To enable this feature, set the Allowed days of user logon inactivity before restriction (on the General page of the Operation Settings workflow) to a number higher than zero; setting the option to zero (the default) means that users are never restricted.

The restriction of users who have not logged in for the configured time limit happens once every 24 hours. By default, this happens at the time of day when the MyID Server was installed. For assistance in changing the time the processing job is run, or running this job manually, contact Intercede customer support quoting reference SUP-386.

When MyID is installed, all existing users have that time of installation set as their most recent log on. This affects a fresh installation of MyID or an upgrade from a version earlier than MyID 12.11; from MyID 12.11 onwards, each user already has a most recent log on time recorded, and this is not reset by the installation process. MyID tracks when each user last logged on, regardless of if this feature is enabled; the last logon time is displayed in the title bar in the MyID Operator Client.

The option that determines whether a user is Restricted, Unrestricted, or Not Monitored, is the Access to Operations setting, which you can view or set in the following workflows:

You can use the Access to Operations field in the People report to search specifically for people who are Restricted, Unrestricted, or Not Monitored, or you can search exclusively for people who are Restricted, with the People with Restricted Access to Operations report.

3.8.1 Prevent users from being restricted

By default, any user with Access to Operations set to Unrestricted is monitored. When restriction is enabled, and they have not logged in for the set amount of time, they are set to Restricted.

To prevent a user from being monitored for restriction, you must set their Access to Operations to Unmonitored.

Important: You are recommended to set users with API-only access to Not Monitored, as otherwise you may lock them out of MyID.

Note: By default, the startup user is set to Not Monitored. If you change this, and the startup user becomes Restricted and so unable to log on, you must use GenMaster to set the password the startup user again. This enables the startup user as though they are a freshly installed bootstrap user. See the Using GenMaster section in the Installation and Configuration Guide for details.

3.8.2 Unrestricting users

To remove a restriction on a user, use Edit Person to set their Access to Operations to Unrestricted.

By default, this does not change the last logon date of the user, so the user must log on before the daily restriction check occurs, or they are restricted again.

To change this behavior, set the Reset logon date when access to operations is changed to unrestricted to Yes on the General page of the Operation Settings workflow; when set to Yes, when you change a user to Unrestricted, their account logon date is reset to the current date.