Overview
This guide explains the process of suspending user accounts in Irancell IAM.
Suspension is a temporary restriction on access, applied without fully deactivating or deleting the user. It is intended for situations such as investigations, extended leave, or security risk management.
Clarification: Suspension is always temporary and reversible. User roles, group memberships, and entitlements are preserved so that access can be fully restored upon reactivation. This differentiates suspension from deactivation or offboarding, which permanently remove access and may delete user data.
Key Objectives
- Apply suspension according to policy.
- Temporarily block access while keeping the user identity intact.
- Ensure suspension is logged in security/audit logs.
- Support reactivation when conditions are cleared.
Input:
- User identity information (login ID, employee ID, or email).
- Business/HR policy requiring suspension.
- Managed system configuration for enforcement.
Output:
- User status set to Suspended.
- Active sessions terminated.
- Suspension event recorded in logs.
- Access revoked until reactivation.
Audience: Irancell IAM administrators, compliance officers, and IT security staff.
Table of Contents
- Overview
- Suspension Policy
- Suspension Execution
- Security Logs
- Use Cases
- Troubleshooting
- FAQ (Frequently Asked Questions)
- Appendix
1.Suspension Policy
Suspension is governed by organizational rules and Irancell IAM policies.
Typical use cases for suspension:
- Employee on long-term leave.
- Pending investigation (HR or security).
- Temporary security breach suspicion.
- Access pause due to policy violation.
Policy guidelines:
- Suspension should not delete roles or entitlements (so they can be restored).
- HR/Compliance must authorize suspensions.
- Audit trail must capture all suspension events.
- Only Irancell IAM Administrators can perform suspensions.
2.Suspension Execution
Steps
- Login to Irancell IAM Administration Console.
- Navigate to Administration → User Management → Search User.
- Select the user account.
- Change status to Suspended.
- Save changes.
- Navigate to Session Management and terminate any active sessions.
Checklist
- User account status is now Suspended.
- Active sessions terminated.
- Suspension request recorded in logs.
- Notification sent to HR/Compliance if required.
3.Security Logs
Suspension actions must be fully auditable.
Steps
- Navigate to Administration → Audit Log Viewer.
- Search for the user by login ID or employee ID.
- Confirm that Suspend User action is recorded.
- Export logs if required for compliance or investigation.
Checklist
- Suspension event recorded.
- Session termination event captured.
- Role/entitlement state preserved (not deleted).
- Timestamp and administrator ID logged.
4.Use Cases
Use Case 1: Employee on Leave
- HR initiates request to suspend the account.
- Irancell IAM administrator applies suspension.
- User reactivated upon return.
Use Case 2: Security Investigation
- Security team requests suspension of a suspected user.
- Irancell IAM administrator suspends immediately.
- Logs exported for forensic analysis.
Use Case 3: Policy Violation
- Compliance identifies a violation.
- User suspended while investigation proceeds.
- Access restored or offboarding triggered later.
5.Troubleshooting
| Issue | Cause | Resolution |
|---|---|---|
| User still able to log in | Suspension not synced to target system | Check connector logs and retry sync |
| Session not terminated | Session service not triggered | Terminate sessions manually in console |
| No audit log for suspension | Logging disabled or misconfigured | Enable audit logging and retry |
| Roles removed unintentionally | Policy misapplied | Update policy to preserve entitlements |
| Reactivation not possible | Incorrect status mapping | Correct mapping in managed system config |
Logs to Check
- Audit Log Viewer (Admin Console)
- Connector Logs (provisioning engine)
- Application logs in
/opt/openiam/logs/
Checklist
- Suspension confirmed in Open Irancell IAM.
- Target systems reflect suspended state.
- Logs reviewed for compliance.
- Any failures retried or escalated.
6. FAQ (Frequently Asked Questions)
Q1. What is the difference between suspension and deactivation in Irancell IAM?
- Suspension is temporary. The user cannot log in, but their roles, groups, and entitlements remain intact for reactivation.
- Deactivation/Termination is permanent. Roles and entitlements may be removed, often part of offboarding.
Q2. Does suspension immediately log the user out of active sessions?
- Not always. You must manually terminate active sessions in Session Management after changing the status to Suspended.
Q3. Who is authorized to suspend user accounts?
- Only Irancell IAM Administrators can perform suspension in Irancell IAM, usually based on HR, Compliance, or Security requests.
Q4. Will suspension remove the user’s roles or entitlements?
- No. Roles and entitlements are preserved. The suspended user retains their access rights for future reactivation.
Q5. Can suspended users still receive emails or notifications from Irancell IAM?
- Suspension blocks login and system access, but notification emails (e.g., password expiry reminders) may still be sent depending on configuration.
Q6. What if suspension is not reflected in the target system (e.g., Active Directory)?
- Check connector logs in the provisioning engine.
- If suspension did not sync, retry the synchronization or review connector configuration.
Q7. How long can a user remain suspended?
- There is no technical limit in Irancell IAM.
- Duration depends on HR/Compliance policy (e.g., until investigation closes or leave ends).
Q8. Can a suspended account be reactivated?
- Yes. Reactivation restores login access with the same roles and entitlements as before suspension.
Q9. How do I verify that suspension was successful?
- User Management – user status shows Suspended.
- Session Management – no active sessions.
- Audit Log Viewer – Suspend User action recorded.
Q10. What if a suspended user still manages to log in?
Possible causes:
- Suspension not synced to all target systems.
- Incorrect status mapping in the connector.
- Session termination not applied.
Solution:
- Check connector mappings.
- Re-run sync.
- Verify session termination.
Top comments (0)