An orphan user is a user identity whose relationship to the organization -- typically represented by a user's manager, is not documented. Orphan users are not a part of an org-chart but do have valid identities and may have associated accounts.
Orphan users represent a security risk, since it is not clear whose responsibility it is to review their access rights -- i.e., they may fall outside of the scope of an access certification process and there is no clear manager responsible for approving change requests that pertain to their accounts.
Orphan users are related to, but not the same as, orphan accounts, which are accounts that are not linked to a user identity.
Hitachi ID Identity Manager can be used to find orphan and dormant accounts:
- The last login time and date can be extracted from each managed
system, for each user. Users who have not logged in recently
can be flagged as dormant accounts.
- Login ID reconciliation data can connect dormant accounts on
one system, to unmarked accounts on another system, which may
not track last login date.
- Login ID reconciliation data can be used to identify accounts that have no apparent owner -- i.e., they exist in the login ID inventory on a system, but no current user has attached the account to his or her own profile.
The lists of dormant and orphan accounts generated in this way are tentative and should not in general be automatically disabled. For example, apparently-dormant accounts may simply be infrequently used, while apparently-orphan accounts may simply not yet have been attached to their owner's profile.
Orphan and dormant account lists can and should be manually reviewed, to remove obvious errors. The resulting, sanitized lists should be resubmitted to Identity Manager first to batch-disable, and later to batch-delete.
The time interval between disabling and deleting orphan accounts gives the owners of those accounts time to notice the problem and complain, thereby causing their accounts to be reactivated.