Overview
This guide describes the technical steps to offboard a user in Irancell IAM. Offboarding ensures that user sessions are terminated, access to systems is revoked, and all actions are logged for compliance and audit purposes.
Key objectives:
- Deactivate user accounts in Irancell IAM and connected systems.
- Terminate any active user sessions.
- Remove access rights, roles, and entitlements.
- Record events in audit logs.
- Verify expected results and troubleshoot common issues.
Input:
- User identity information (login ID, employee ID, email).
- Target system provisioning configuration.
- Business policies for deactivation and access revocation.
- Logging and monitoring configuration.
Output:
- User account deactivated in Irancell IAM.
- Active sessions terminated.
- Roles, groups, and entitlements removed.
- Audit logs available for compliance.
The audience is Irancell IAM administrators, system integrators, and support engineers.
Table of Contents
- Overview
- 1. Deactivate User
- 2. Session Termination
- 3. Remove Access
- 4. Audit Logs
- 5. Expected Results
- 6. Troubleshooting
- Frequently Asked Questions (FAQ)
- Appendix
1. Deactivate User
Steps
- Login as Irancell IAM Administrator in Irancell IAM Web Console.
- Navigate to Administration → User Management → Search User.
- Locate the user to be offboarded.
- Set status to
InactiveorTerminated. - Save the changes.
Best Practice: Always deactivate before deleting to preserve audit history.
Checklist
- User account status changed to Inactive.
- HR or source system notified of deactivation.
- Provisioning triggered to managed systems.
2. Session Termination
Steps
- Navigate to Administration → Session Management.
- Search for active sessions of the user.
- Select the session and click Terminate.
- Confirm action in the audit logs.
Checklist
- Active sessions terminated.
- User no longer has access to applications.
- Session termination recorded in logs.
3. Remove Access
Steps
- Navigate to Administration → User Management → Roles & Entitlements.
- Unassign all roles (e.g.,
Employee_Default,Admin,Application_Role). - Remove group memberships.
- Trigger de-provisioning in connected systems.
Checklist
- Roles unassigned.
- Groups removed.
- Entitlements revoked.
- Target systems updated.
4. Audit Logs
Steps
- Navigate to Administration → Audit Log Viewer.
- Search for the user by login ID or employee ID.
- Confirm events for:
- Deactivation
- Session termination
- Role/entitlement removal
- Export logs if required for compliance.
Checklist
- Audit log shows Deactivate User event.
- Session termination recorded.
- Access removal events captured.
5. Expected Results
- User is deactivated in Irancell IAM.
- Active sessions terminated.
- Roles, groups, and entitlements removed.
- Audit logs confirm offboarding actions.
- Target systems reflect user deactivation.
6. Troubleshooting
| Issue | Cause | Resolution |
|---|---|---|
| User still active in target system | Connector not triggered | Check provisioning logs and restart sync |
| Session not terminated | Session service misconfigured | Verify session management configuration |
| Access not removed | Role/entitlement mapping incomplete | Update policy map and retry |
| Audit logs missing events | Logging not enabled | Enable audit logging in Admin console |
| User account deletion failed | Dependencies in target system | Resolve dependencies before deletion |
Logs to Check
- Audit Log Viewer (Web Console)
- Connector logs (RabbitMQ messages)
- Application logs:
/opt/openiam/logs/
Checklist
- Audit logs verified for deactivation and termination.
- Connector logs reviewed for provisioning events.
- Any failed de-provisioning retried or escalated.
Frequently Asked Questions (FAQ)
Q1: Should I delete or deactivate users?
A: Always deactivate first. Delete only if compliance policies allow.
Q2: How do I force immediate logout?
A: Use Session Management → Terminate Session in Irancell IAM.
Q3: Can I bulk offboard users?
A: Yes, via Batch Processing or HR feed integration.
Q4: How can I verify de-provisioning in AD/LDAP?
A: Check the target system logs or query the account status.
Q5: Where can I find logs of deactivation events?
A:
- Audit Log Viewer (Web Console)
- Connector logs (RabbitMQ messages)
-
/opt/openiam/logs/
Top comments (0)