Skip to content

Configure Inactive Registered Users Cleanup

Applies To: HySecure Gateway 7.2 and above

Category: User Management / Security

Overview

This Knowledgebase article explains how to configure automated cleanup of inactive registered users to improve security posture and optimize license utilization. This feature enables administrators to automatically disable or delete inactive user accounts, reducing security risks and reclaiming licenses for active users.

The cleanup process tracks user inactivity based on either last login time (for gateway application access) or last authentication time (for HyID Windows client, Linux Credential Provider, RADIUS, NPS, and third-party MFA integrations), providing flexible criteria to match organizational security policies.

Prerequisites

  • HySecure Gateway 7.2 or higher.
  • Security Officer or Administrator access to the HySecure management console.
  • Understanding of user authentication patterns in your organization.
  • Recommended: Export Registered Users before enabling automated cleanup.

Supported Cleanup Criteria

Action Based On Options:

  • Last Login Time: Applies to users who log in to the HySecure gateway to access enterprise applications. Tracks when users last authenticated to access published applications through the HyLite portal or the HySecure client.

  • Last Authentication Time: Applies to users logging in through HyID Windows client, Linux Credential Provider, NPS, RADIUS, or third-party applications where HySecure provides MFA. Includes authentication events from credential providers and identity integrations.

Action Types:

  • Disable: Retains user profile and registration data but disables account access. The user cannot log in until manually re-enabled by an administrator. Recommended for temporary inactivity or pending account reviews.

  • Delete: Permanently removes the user profile and all registration data from the HySecure gateway. Recommended for confirmed inactive accounts or compliance-driven deletion policies.

Procedure: Configure Inactive Registered Users Cleanup

Step 1: Access Cleanup Policies

  1. Log in to the HySecure management console.

    • Use the Security Officer or Administrator account.

  2. Navigate to Cleanup Policies

    • Navigate to Diagnose > Maintenance > Cleanup Policies.

    • Locate the Inactive Registered Users Cleanup section.

Step 2: Enable the Cleanup Feature

  1. Enable the cleanup feature.

    • Locate the Enable Registered Users Cleanup checkbox.

    • Check the checkbox to activate automated cleanup functionality.

Step 3: Configure Action Type

  1. Select Action for Inactive Registered Users

    Choose one of the following actions:

    • Disable:

      • Select this option to retain the user profile while blocking access.

      • User registration data preserved for future re-enablement.

      • License reclaimed, but user data retained.

      • Recommended for: Temporary inactivity, seasonal workers, pending reviews.

    • Delete:

      • Select this option to remove the user profile permanently.

      • All user registration data will be deleted from the system.

      • License reclaimed and user data removed.

      • Recommended for: Confirmed inactive accounts, compliance requirements, and permanent departures.

  2. Consider organizational policy

    • Align action type with security policies.

    • Consider regulatory compliance requirements.

    • Evaluate license reclamation needs vs. data retention requirements.

Step 4: Select Inactivity Criteria

  1. Configure Action Based On parameter

    Choose one of the following criteria:

    • Last Login Time:

      • Select for users accessing enterprise applications via the HySecure gateway.

      • Tracks authentication to the HyLite portal or Workspace client.

      • Applies to application access scenarios.

    • Last Authentication Time:

      • Select for users authenticating via credential providers or MFA integrations.

      • Tracks authentication through HyID Windows client, Linux Credential Provider, NPS, and RADIUS.

      • Includes third-party application MFA, where HySecure acts as the authentication provider.

Step 5: Set Inactivity Threshold

  1. Configure Inactive for Last (days)

    • Enter the number of days defining the inactivity threshold.

    • User accounts inactive for this duration will be disabled or deleted based on the configured action.

  2. Consider organizational factors

    • Employee leave policies (vacation, medical, sabbatical).

    • Seasonal workforce patterns.

    • Contract and temporary worker schedules.

    • Regulatory data retention requirements.

Step 6: Save Configuration

  1. Review all settings

    • Verify Action Type (Disable or Delete).

    • Confirm Action Based on criteria (Last Login Time or Last Authentication Time).

    • Validate Inactive for Last (days) threshold.

  2. Submit configuration

    • Click the Submit button to save the cleanup policy.

    • Configuration takes effect immediately for future cleanup cycles.

  3. Verify configuration

    • Confirm that the success message displays.

    • Review the Cleanup Policies page to verify that the settings were saved correctly.

Business Context and Use Cases

Security Benefits

Reduced Attack Surface:

  • Eliminate dormant accounts that represent security vulnerabilities.

  • Prevent unauthorized access through unused accounts.

  • Adhere to security best practices for managing inactive accounts.

Compliance Support:

  • Satisfy regulatory requirements for inactive account removal.

  • Demonstrate a proactive security posture.

Operational Benefits

License Optimization:

  • Reclaim licenses from inactive users in case of Named Users based licensing.

  • Improve license utilization and ROI.

  • Reduce unnecessary license consumption.

Administrative Efficiency:

  • Automate manual inactive user review processes.

  • Eliminate periodic manual cleanup tasks.

  • Reduce administrative overhead for user lifecycle management.

Common Use Cases

Important Notes

Critical Considerations:

  • No Automatic Reversal: Disabled users need manual re-enablement by an administrator. Deleted users must re-register fully if they require access.

  • Cleanup Timing: The Cleanup process runs on a scheduled basis (system-defined intervals). Inactive users are not removed immediately upon reaching the threshold.

  • License Impact: Licenses are reclaimed immediately when users are disabled or deleted, making licenses available for other users.

    Note

    License will be reclaimed only in case of Named Users based licensing.

  • User Notification: No automatic notification is sent to users before the account is disabled or deleted. Implement a separate notification process if required.

  • Authentication Context Matters: Choose criteria (Last Login Time vs. Last Authentication Time) matching how users primarily authenticate in your environment.

Best Practices:

  • Start with the Disable action and a longer threshold (90-180 days) for initial implementation.

  • Monitor cleanup activity and adjust the threshold based on organizational patterns.

  • Review the disabled user list periodically to identify false positives.

  • Document the cleanup policy in security procedures.

  • Communicate policy to users and managers before implementation.

  • Consider seasonal patterns and leave policies when setting thresholds.

Contact Support: support@accops.com for assistance with Inactive Registered Users Cleanup configuration.