-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into update-ans-resource-quota-command-doc
- Loading branch information
Showing
3 changed files
with
290 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| # Remove Inactive Subaccount Users | ||
|
|
||
| Table of Contents | ||
|
|
||
| * [Description](#description) | ||
| * [Requirements](#requirements) | ||
| * [How to use](#how-to-use) | ||
| * [Expected result](#expected-result) | ||
|
|
||
| ## Description | ||
|
|
||
| This example demonstrates how to use SAP Automation Pilot to identify and remove inactive users from a subaccount in SAP BTP. The command allows customization of the inactivity grace period and provides options to exclude specific users or remove users who have never logged in. | ||
|
|
||
| Inactive users can pose a security risk if they are not monitored or managed properly. Regularly cleaning up inactive users helps maintain compliance with internal and external security standards. | ||
|
|
||
| Automating the removal of inactive users offers several advantages over manual processes, such as reducing time and effort, enabling the management of a large number of users across multiple subaccounts, and more. | ||
|
|
||
| The command can also be scheduled to run on a weekly, monthly, or custom basis to ensure continuous compliance and security. | ||
|
|
||
| ### Customization Options | ||
|
|
||
| The command provides several customization options to tailor the automation to your needs: | ||
|
|
||
| * **Grace Period**: Adjust the number of days since a user's last login after which they are considered inactive by modifying the `grace` input parameter. | ||
| * **Remove Users Who Never Logged In**: Enable or disable the removal of users who have never logged in by setting the `removeNeverLogged` input parameter. | ||
| * **Exclude Specific Users**: Specify a list of users who should not be removed even if they are inactive by providing their usernames in the `excludeUsers` input parameter. | ||
|
|
||
| ## Requirements | ||
|
|
||
| To use this example you'll need the following: | ||
|
|
||
| * **SAP Automation Pilot Tenant**: Ensure you have access to an SAP Automation Pilot tenant. | ||
| * **SAP Authorization and Trust Management Service**: A service key (API credentials) to enable programmatic access to the SAP Authorization and Trust Management Service. | ||
|
|
||
| To gain API access to **SAP Authorization and Trust Management Service**, follow the steps in the [SAP BTP documentation](https://help.sap.com/docs/btp/sap-business-technology-platform/get-access-to-apis). | ||
|
|
||
| You can also use the BTP CLI to create the necessary API credentials for your BTP subaccount with the following command: | ||
|
|
||
| ```shell | ||
| btp --format json create security/api-credential --name autopi-credential --sub-account '<SUBACCOUNT_ID>' | ||
| ``` | ||
|
|
||
| ## How to use | ||
|
|
||
| 1. **Import the Example**: | ||
|
|
||
| * Copy the content of the [catalog.json](./catalog.json) file. | ||
| * Go to your SAP Automation Pilot tenant and navigate to `My Catalogs`. | ||
| * Click on `Import` in the upper right corner. | ||
| * Paste the catalog's content and import it. | ||
|
|
||
| 2. **Trigger the Command Manually**: | ||
|
|
||
| * Navigate to the `RemoveInactiveSubaccountUsers` command in your SAP Automation Pilot tenant. | ||
| * Click on the *Trigger* button after getting familiar with the command | ||
| * Provide values for the following input keys: | ||
| * `serviceKey`: The service key for SAP Authorization and Trust Management Service. | ||
| * `grace`: Number of days since the last login after which a user is considered inactive. | ||
| * `removeNeverLogged`: Boolean flag to enable or disable the removal of users who have never logged in. | ||
| * `excludeUsers`: List of usernames to exclude from removal even if they are inactive. | ||
| * `targetIdentityProvider`: Identity provider of the target users (default is `sap.ids`). | ||
| * Confirm and start the automation | ||
|
|
||
| :information_source: If you want to test the command without actually removing any users, click on the *Trigger Dry* Run option. This will allow the command to identify which users are inactive without making any changes. Once you have reviewed the list of inactive users, you can run the command again in non-dry run mode to proceed with the removal. | ||
|
|
||
| ## Expected result | ||
|
|
||
| After executing the command, the following results are expected: | ||
|
|
||
| * Inactive users, based on the specified grace period, will be identified and removed from the subaccount. | ||
| * Users who have never logged in will be removed if the `removeNeverLogged` parameter is set to true. | ||
| * Users specified in the `excludeUsers` list will not be removed, even if they are inactive. | ||
| * A list of removed inactive users will be provided as output for verification and record-keeping. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,214 @@ | ||
| { | ||
| "id": "examples-<<<TENANT_ID>>>", | ||
| "technicalName": "examples", | ||
| "name": "Automation Pilot Examples", | ||
| "description": "", | ||
| "owner": "<<<TENANT_ID>>>", | ||
| "inputs": [], | ||
| "commands": [ | ||
| { | ||
| "configuration": { | ||
| "values": [], | ||
| "output": { | ||
| "inactiveUsers": "$(.FindInactiveUsers.output.message | toArray | map({ user, lastLogonTime: .lastLogonTime | toDate(\"yyyy-MM-dd HH:mm:ss\") }))" | ||
| }, | ||
| "executors": [ | ||
| { | ||
| "execute": "xsuaa-sapcp:ListSubAccountUsers:1", | ||
| "input": { | ||
| "targetIdentityProvider": "$(.execution.input.targetIdentityProvider)", | ||
| "pageSize": "500", | ||
| "serviceKey": "$(.execution.input.serviceKey)" | ||
| }, | ||
| "alias": "ListAllUsers", | ||
| "description": "List all users in the target BTP subaccount", | ||
| "progressMessage": "Listed $(.ListAllUsers.output.users | length) out of $(.ListAllUsers.output.totalResultsCount) users", | ||
| "initialDelay": null, | ||
| "pause": null, | ||
| "when": null, | ||
| "validate": null, | ||
| "autoRetry": null, | ||
| "repeat": null, | ||
| "errorMessages": [], | ||
| "dryRun": null | ||
| }, | ||
| { | ||
| "execute": "utils-sapcp:ForEach:2", | ||
| "input": { | ||
| "inputMapping": "{\"targetIdentityProvider\":\"$(.execution.input.targetIdentityProvider)\",\"serviceKey\":\"$(.execution.input.serviceKey)\",\"targetUser\":\"$(.GetUserDetails.current.item.user)\"}", | ||
| "inputs": "$(.ListAllUsers.output.users)", | ||
| "command": "xsuaa-sapcp:GetSubAccountUser:1" | ||
| }, | ||
| "alias": "GetUserDetails", | ||
| "description": "Retrieve detailed information about each user, focusing primarily on their last logon time", | ||
| "progressMessage": "Retrieved details about user $(.GetUserDetails.current.input.targetUser)", | ||
| "initialDelay": null, | ||
| "pause": null, | ||
| "when": null, | ||
| "validate": null, | ||
| "autoRetry": null, | ||
| "repeat": null, | ||
| "errorMessages": [], | ||
| "dryRun": null | ||
| }, | ||
| { | ||
| "execute": "utils-sapcp:Void:1", | ||
| "input": { | ||
| "message": "$((.ListAllUsers.output.users | map(.user)) as $users | .GetUserDetails.output.outputs | to_entries | map({ user: $users[.key], lastLogonTime: .value.lastLogonTime }))" | ||
| }, | ||
| "alias": "BuildUserLastLogon", | ||
| "description": "Link each user to their corresponding last logon time", | ||
| "progressMessage": null, | ||
| "initialDelay": null, | ||
| "pause": null, | ||
| "when": null, | ||
| "validate": null, | ||
| "autoRetry": null, | ||
| "repeat": null, | ||
| "errorMessages": [], | ||
| "dryRun": null | ||
| }, | ||
| { | ||
| "execute": "utils-sapcp:Void:1", | ||
| "input": { | ||
| "message": "$(.BuildUserLastLogon.output.message | toArray | filter(.lastLogonTime != -1 or $.execution.input.removeNeverLogged) | filter((nowMillis - $.execution.input.grace * 24 * 60 * 60 * 1000) > .lastLogonTime) | filter(.user | valueIn($.execution.input.excludeUsers) | not) | sortBy(.lastLogonTime))" | ||
| }, | ||
| "alias": "FindInactiveUsers", | ||
| "description": "Identify all inactive users based on the given input parameters", | ||
| "progressMessage": "Found $(.FindInactiveUsers.output.message | toArray | length) inactive users", | ||
| "initialDelay": null, | ||
| "pause": null, | ||
| "when": null, | ||
| "validate": null, | ||
| "autoRetry": null, | ||
| "repeat": null, | ||
| "errorMessages": [], | ||
| "dryRun": null | ||
| }, | ||
| { | ||
| "execute": "utils-sapcp:ForEach:2", | ||
| "input": { | ||
| "inputMapping": "{\"targetIdentityProvider\":\"$(.execution.input.targetIdentityProvider)\",\"serviceKey\":\"$(.execution.input.serviceKey)\",\"targetUser\":\"$(.RemoveInactiveUsers.current.item.user)\"}", | ||
| "inputs": "$(.FindInactiveUsers.output.message)", | ||
| "command": "xsuaa-sapcp:RemoveSubAccountUser:1" | ||
| }, | ||
| "alias": "RemoveInactiveUsers", | ||
| "description": "Remove each of the identified inactive users", | ||
| "progressMessage": "$(if .execution.metadata.tags[\"feature:dryRun\"] == null then \"Removing inactive user \\(.RemoveInactiveUsers.current.input.targetUser)\" else \"Execution will not remove inactive users because it was started in dry-run mode\" end)", | ||
| "initialDelay": null, | ||
| "pause": null, | ||
| "when": null, | ||
| "validate": null, | ||
| "autoRetry": null, | ||
| "repeat": null, | ||
| "errorMessages": [], | ||
| "dryRun": { | ||
| "output": { | ||
| "outputs": "[ ]" | ||
| } | ||
| } | ||
| } | ||
| ], | ||
| "listeners": [] | ||
| }, | ||
| "id": "examples-<<<TENANT_ID>>>:RemoveInactiveSubaccountUsers:1", | ||
| "name": "RemoveInactiveSubaccountUsers", | ||
| "description": "Removes inactive users from your SAP BTP account, with the option to customize the inactivity grace period", | ||
| "catalog": "examples-<<<TENANT_ID>>>", | ||
| "version": 1, | ||
| "inputKeys": { | ||
| "targetIdentityProvider": { | ||
| "type": "string", | ||
| "sensitive": false, | ||
| "required": false, | ||
| "minSize": null, | ||
| "maxSize": null, | ||
| "minValue": null, | ||
| "maxValue": null, | ||
| "allowedValues": null, | ||
| "allowedValuesFromInputKeys": null, | ||
| "suggestedValues": null, | ||
| "suggestedValuesFromInputKeys": null, | ||
| "defaultValue": "sap.ids", | ||
| "defaultValueFromInput": null, | ||
| "description": "Identity provider of the target users. By default it is SAP ID Service (sap.ids)." | ||
| }, | ||
| "grace": { | ||
| "type": "number", | ||
| "sensitive": false, | ||
| "required": false, | ||
| "minSize": null, | ||
| "maxSize": null, | ||
| "minValue": null, | ||
| "maxValue": null, | ||
| "allowedValues": null, | ||
| "allowedValuesFromInputKeys": null, | ||
| "suggestedValues": null, | ||
| "suggestedValuesFromInputKeys": null, | ||
| "defaultValue": "180", | ||
| "defaultValueFromInput": null, | ||
| "description": "Number of days since a user's last login after which they are considered inactive" | ||
| }, | ||
| "removeNeverLogged": { | ||
| "type": "boolean", | ||
| "sensitive": false, | ||
| "required": false, | ||
| "minSize": null, | ||
| "maxSize": null, | ||
| "minValue": null, | ||
| "maxValue": null, | ||
| "allowedValues": null, | ||
| "allowedValuesFromInputKeys": null, | ||
| "suggestedValues": null, | ||
| "suggestedValuesFromInputKeys": null, | ||
| "defaultValue": "true", | ||
| "defaultValueFromInput": null, | ||
| "description": "Specifies whether to remove users who have never logged into the SAP BTP account" | ||
| }, | ||
| "serviceKey": { | ||
| "type": "object", | ||
| "sensitive": true, | ||
| "required": true, | ||
| "minSize": null, | ||
| "maxSize": null, | ||
| "minValue": null, | ||
| "maxValue": null, | ||
| "allowedValues": null, | ||
| "allowedValuesFromInputKeys": null, | ||
| "suggestedValues": null, | ||
| "suggestedValuesFromInputKeys": null, | ||
| "defaultValue": null, | ||
| "defaultValueFromInput": null, | ||
| "description": "Service key for SAP Authorization and Trust Management Service" | ||
| }, | ||
| "excludeUsers": { | ||
| "type": "array", | ||
| "sensitive": false, | ||
| "required": false, | ||
| "minSize": null, | ||
| "maxSize": null, | ||
| "minValue": null, | ||
| "maxValue": null, | ||
| "allowedValues": null, | ||
| "allowedValuesFromInputKeys": null, | ||
| "suggestedValues": null, | ||
| "suggestedValuesFromInputKeys": null, | ||
| "defaultValue": "[]", | ||
| "defaultValueFromInput": null, | ||
| "description": "List of users who should not be removed even if they are inactive" | ||
| } | ||
| }, | ||
| "outputKeys": { | ||
| "inactiveUsers": { | ||
| "type": "array", | ||
| "sensitive": false, | ||
| "description": "List of the detective inactive users based on the specified input parameters" | ||
| } | ||
| }, | ||
| "tags": { | ||
| "feature:logs": "", | ||
| "feature:priority": "medium" | ||
| } | ||
| } | ||
| ] | ||
| } |