Hello, I have a question about Orchestrator 2020.10, under the Tenant → Users page where it indicates account “Status” as well as if Web Access and Robot Access are enabled, is there more context around what a Status of “Inactive” means? Is this stating that the account just hadn’t logged-on in X-days or is it saying the account is disabled? For example, if there’s an “Inactive” account, but the account’s Web Access is “Enabled”, could the account still log-on?
I’m not sure if there is a clear indication of this (at least I haven’t seen it documented yet). It appears it will depend on what type of User Entity that you are looking at.
But from the Users menu, you can activate and deactivate a user profile which would prevent that user from authenticating and being authorized. Web Access on the other hand is authorization to use the Web UI / API in case all you wanted them leverage is a Robot
For example when I look at my User list for a particular user that I know hasn’t logged in some time (8+ Months) and is still an active domain user. I see a Robot Record that is marked Inactive (which might have been due to changes made when we migrated from 2019 to 2020) which I cannot activate or deactivate, nor delete.
Previously (earlier than 2019.10) Domain User/Group integration was an import only feature, so it was helpful to be able to deactivate certain users that you know have left the company or changes roles.
The other piece which I cannot confirm at the moment, when we had some team members leave the organization and the accounts became disabled in Active Directory, I cannot recall if they automatically switched to Inactive in 2020 when the cache refreshed or if they remained Active in Orchestrator, in either case they were setup with Windows Auth and/or SAML so once they were disabled in AD they wouldn’t have been able to authenticate anyways. (I have since removed those those users from Orchestrator to free up licenses).
I remember in old documentation 2018/2019 About Users / Managing Users documentation mentioned Activating / Deactivating Users as a action, but it didn’t describe the feature at all.
I think it is easiest to think about Authorization vs Authentication.
Status (Activate/Inactive) to be Authentication, where as Web Access/Robot Access (Enabled/Disabled) is about Authorization to use a feature or group of features Web UI/API in this case or Attended/Unattended Robot.
I meant to say if you went ahead today and disabled a user that has used his/her account regularly, does that, in effect, change that user’s account “Status” field to “Inactive”? Just wanted to rule out that a Status of Inactive doesn’t mean they haven’t logged-on in a while, rather it indeed indicated the user could not authenticate.
That is correct - If you disable the account (screenshot above) It will change the Status to Inactive and prevent the user from authenticating. There is not a feature (to my knowledge) that automatically disabled a profile based on Last Login.
