An orphan user is a user identity whose relationship to the organization -- typically represented by a user's manager, is not documented. Orphan users are not a part of an org-chart but do have valid identities and may have associated accounts.
Orphan users represent a security risk, since it is not clear whose responsibility it is to review their access rights -- i.e., they may fall outside of the scope of an access certification process and there is no clear manager responsible for approving change requests that pertain to their accounts.
Orphan users are related to, but not the same as, orphan accounts, which are accounts that are not linked to a user identity.
Hitachi ID Identity Manager can be used to find orphan and dormant accounts:
The lists of dormant and orphan accounts generated in this way are tentative and should not in general be automatically disabled. For example, apparently-dormant accounts may simply be infrequently used, while apparently-orphan accounts may simply not yet have been attached to their owner's profile.
Orphan and dormant account lists can and should be manually reviewed, to remove obvious errors. The resulting, sanitized lists should be resubmitted to Identity Manager first to batch-disable, and later to batch-delete.
The time interval between disabling and deleting orphan accounts gives the owners of those accounts time to notice the problem and complain, thereby causing their accounts to be reactivated.