diff --git a/README.md b/README.md index efebfd9..fa7dc71 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Table of Contents * [How to use](#how-to-use) * [Examples](#examples) * [HANA Cloud](#hana-cloud) - * [BTP Provisioning](#btp-provisioning) + * [BTP Management](#btp-management) * [Cloud Foundry](#cloud-foundry) * [Kubernetes](#kubernetes) * [Neo](#neo) @@ -82,7 +82,7 @@ After importing, you'll see a new catalog tile - **Automation Pilot Examples**. | [Check HANA Cloud Availability](check-hana-cloud-availability) | Check regularly whether the HANA Cloud database is currently available | | [Rotate HANA Cloud Database Credentials](rotate-hana-cloud-db-credentials) | Automate the rotation of credentials for a HANA Cloud database | -### BTP Provisioning +### BTP Management | Example | Description | |---------|-------------| @@ -90,6 +90,7 @@ After importing, you'll see a new catalog tile - **Automation Pilot Examples**. | [Setup Cloud Foundry BTP Environment](prepare-btp-environment) | Enable the Cloud Foundry environment, create a space and setup a service instance | | [Grant Privileges](grant-privileges) | Grant privileges to users on subaccount, organization and space level | | [Reassign Identity Provider](reassign-identity-provider) | Migrate all users on BTP subaccount level from one identity provider to another | +| [Remove Inactive Subaccount Users](remove-inactive-subaccount-users) | Identify and remove inactive users from a BTP subaccount | ### Cloud Foundry diff --git a/remove-inactive-subaccount-users/README.md b/remove-inactive-subaccount-users/README.md new file mode 100644 index 0000000..b941528 --- /dev/null +++ b/remove-inactive-subaccount-users/README.md @@ -0,0 +1,73 @@ +# Remove Inactive Subaccount Users + +Table of Contents + +* [Description](#description) +* [Requirements](#requirements) +* [How to use](#how-to-use) +* [Expected result](#expected-result) + +## Description + +This example demonstrates how to use SAP Automation Pilot to identify and remove inactive users from a subaccount in SAP BTP. The command allows customization of the inactivity grace period and provides options to exclude specific users or remove users who have never logged in. + +Inactive users can pose a security risk if they are not monitored or managed properly. Regularly cleaning up inactive users helps maintain compliance with internal and external security standards. + +Automating the removal of inactive users offers several advantages over manual processes, such as reducing time and effort, enabling the management of a large number of users across multiple subaccounts, and more. + +The command can also be scheduled to run on a weekly, monthly, or custom basis to ensure continuous compliance and security. + +### Customization Options + +The command provides several customization options to tailor the automation to your needs: + +* **Grace Period**: Adjust the number of days since a user's last login after which they are considered inactive by modifying the `grace` input parameter. +* **Remove Users Who Never Logged In**: Enable or disable the removal of users who have never logged in by setting the `removeNeverLogged` input parameter. +* **Exclude Specific Users**: Specify a list of users who should not be removed even if they are inactive by providing their usernames in the `excludeUsers` input parameter. + +## Requirements + +To use this example you'll need the following: + +* **SAP Automation Pilot Tenant**: Ensure you have access to an SAP Automation Pilot tenant. +* **SAP Authorization and Trust Management Service**: A service key (API credentials) to enable programmatic access to the SAP Authorization and Trust Management Service. + +To gain API access to **SAP Authorization and Trust Management Service**, follow the steps in the [SAP BTP documentation](https://help.sap.com/docs/btp/sap-business-technology-platform/get-access-to-apis). + +You can also use the BTP CLI to create the necessary API credentials for your BTP subaccount with the following command: + +```shell +btp --format json create security/api-credential --name autopi-credential --sub-account '' +``` + +## How to use + +1. **Import the Example**: + +* Copy the content of the [catalog.json](./catalog.json) file. +* Go to your SAP Automation Pilot tenant and navigate to `My Catalogs`. +* Click on `Import` in the upper right corner. +* Paste the catalog's content and import it. + +2. **Trigger the Command Manually**: + +* Navigate to the `RemoveInactiveSubaccountUsers` command in your SAP Automation Pilot tenant. +* Click on the *Trigger* button after getting familiar with the command +* Provide values for the following input keys: + * `serviceKey`: The service key for SAP Authorization and Trust Management Service. + * `grace`: Number of days since the last login after which a user is considered inactive. + * `removeNeverLogged`: Boolean flag to enable or disable the removal of users who have never logged in. + * `excludeUsers`: List of usernames to exclude from removal even if they are inactive. + * `targetIdentityProvider`: Identity provider of the target users (default is `sap.ids`). +* Confirm and start the automation + +:information_source: If you want to test the command without actually removing any users, click on the *Trigger Dry* Run option. This will allow the command to identify which users are inactive without making any changes. Once you have reviewed the list of inactive users, you can run the command again in non-dry run mode to proceed with the removal. + +## Expected result + +After executing the command, the following results are expected: + +* Inactive users, based on the specified grace period, will be identified and removed from the subaccount. +* Users who have never logged in will be removed if the `removeNeverLogged` parameter is set to true. +* Users specified in the `excludeUsers` list will not be removed, even if they are inactive. +* A list of removed inactive users will be provided as output for verification and record-keeping. diff --git a/remove-inactive-subaccount-users/catalog.json b/remove-inactive-subaccount-users/catalog.json new file mode 100644 index 0000000..ee12390 --- /dev/null +++ b/remove-inactive-subaccount-users/catalog.json @@ -0,0 +1,214 @@ +{ + "id": "examples-<<>>", + "technicalName": "examples", + "name": "Automation Pilot Examples", + "description": "", + "owner": "<<>>", + "inputs": [], + "commands": [ + { + "configuration": { + "values": [], + "output": { + "inactiveUsers": "$(.FindInactiveUsers.output.message | toArray | map({ user, lastLogonTime: .lastLogonTime | toDate(\"yyyy-MM-dd HH:mm:ss\") }))" + }, + "executors": [ + { + "execute": "xsuaa-sapcp:ListSubAccountUsers:1", + "input": { + "targetIdentityProvider": "$(.execution.input.targetIdentityProvider)", + "pageSize": "500", + "serviceKey": "$(.execution.input.serviceKey)" + }, + "alias": "ListAllUsers", + "description": "List all users in the target BTP subaccount", + "progressMessage": "Listed $(.ListAllUsers.output.users | length) out of $(.ListAllUsers.output.totalResultsCount) users", + "initialDelay": null, + "pause": null, + "when": null, + "validate": null, + "autoRetry": null, + "repeat": null, + "errorMessages": [], + "dryRun": null + }, + { + "execute": "utils-sapcp:ForEach:2", + "input": { + "inputMapping": "{\"targetIdentityProvider\":\"$(.execution.input.targetIdentityProvider)\",\"serviceKey\":\"$(.execution.input.serviceKey)\",\"targetUser\":\"$(.GetUserDetails.current.item.user)\"}", + "inputs": "$(.ListAllUsers.output.users)", + "command": "xsuaa-sapcp:GetSubAccountUser:1" + }, + "alias": "GetUserDetails", + "description": "Retrieve detailed information about each user, focusing primarily on their last logon time", + "progressMessage": "Retrieved details about user $(.GetUserDetails.current.input.targetUser)", + "initialDelay": null, + "pause": null, + "when": null, + "validate": null, + "autoRetry": null, + "repeat": null, + "errorMessages": [], + "dryRun": null + }, + { + "execute": "utils-sapcp:Void:1", + "input": { + "message": "$((.ListAllUsers.output.users | map(.user)) as $users | .GetUserDetails.output.outputs | to_entries | map({ user: $users[.key], lastLogonTime: .value.lastLogonTime }))" + }, + "alias": "BuildUserLastLogon", + "description": "Link each user to their corresponding last logon time", + "progressMessage": null, + "initialDelay": null, + "pause": null, + "when": null, + "validate": null, + "autoRetry": null, + "repeat": null, + "errorMessages": [], + "dryRun": null + }, + { + "execute": "utils-sapcp:Void:1", + "input": { + "message": "$(.BuildUserLastLogon.output.message | toArray | filter(.lastLogonTime != -1 or $.execution.input.removeNeverLogged) | filter((nowMillis - $.execution.input.grace * 24 * 60 * 60 * 1000) > .lastLogonTime) | filter(.user | valueIn($.execution.input.excludeUsers) | not) | sortBy(.lastLogonTime))" + }, + "alias": "FindInactiveUsers", + "description": "Identify all inactive users based on the given input parameters", + "progressMessage": "Found $(.FindInactiveUsers.output.message | toArray | length) inactive users", + "initialDelay": null, + "pause": null, + "when": null, + "validate": null, + "autoRetry": null, + "repeat": null, + "errorMessages": [], + "dryRun": null + }, + { + "execute": "utils-sapcp:ForEach:2", + "input": { + "inputMapping": "{\"targetIdentityProvider\":\"$(.execution.input.targetIdentityProvider)\",\"serviceKey\":\"$(.execution.input.serviceKey)\",\"targetUser\":\"$(.RemoveInactiveUsers.current.item.user)\"}", + "inputs": "$(.FindInactiveUsers.output.message)", + "command": "xsuaa-sapcp:RemoveSubAccountUser:1" + }, + "alias": "RemoveInactiveUsers", + "description": "Remove each of the identified inactive users", + "progressMessage": "$(if .execution.metadata.tags[\"feature:dryRun\"] == null then \"Removing inactive user \\(.RemoveInactiveUsers.current.input.targetUser)\" else \"Execution will not remove inactive users because it was started in dry-run mode\" end)", + "initialDelay": null, + "pause": null, + "when": null, + "validate": null, + "autoRetry": null, + "repeat": null, + "errorMessages": [], + "dryRun": { + "output": { + "outputs": "[ ]" + } + } + } + ], + "listeners": [] + }, + "id": "examples-<<>>:RemoveInactiveSubaccountUsers:1", + "name": "RemoveInactiveSubaccountUsers", + "description": "Removes inactive users from your SAP BTP account, with the option to customize the inactivity grace period", + "catalog": "examples-<<>>", + "version": 1, + "inputKeys": { + "targetIdentityProvider": { + "type": "string", + "sensitive": false, + "required": false, + "minSize": null, + "maxSize": null, + "minValue": null, + "maxValue": null, + "allowedValues": null, + "allowedValuesFromInputKeys": null, + "suggestedValues": null, + "suggestedValuesFromInputKeys": null, + "defaultValue": "sap.ids", + "defaultValueFromInput": null, + "description": "Identity provider of the target users. By default it is SAP ID Service (sap.ids)." + }, + "grace": { + "type": "number", + "sensitive": false, + "required": false, + "minSize": null, + "maxSize": null, + "minValue": null, + "maxValue": null, + "allowedValues": null, + "allowedValuesFromInputKeys": null, + "suggestedValues": null, + "suggestedValuesFromInputKeys": null, + "defaultValue": "180", + "defaultValueFromInput": null, + "description": "Number of days since a user's last login after which they are considered inactive" + }, + "removeNeverLogged": { + "type": "boolean", + "sensitive": false, + "required": false, + "minSize": null, + "maxSize": null, + "minValue": null, + "maxValue": null, + "allowedValues": null, + "allowedValuesFromInputKeys": null, + "suggestedValues": null, + "suggestedValuesFromInputKeys": null, + "defaultValue": "true", + "defaultValueFromInput": null, + "description": "Specifies whether to remove users who have never logged into the SAP BTP account" + }, + "serviceKey": { + "type": "object", + "sensitive": true, + "required": true, + "minSize": null, + "maxSize": null, + "minValue": null, + "maxValue": null, + "allowedValues": null, + "allowedValuesFromInputKeys": null, + "suggestedValues": null, + "suggestedValuesFromInputKeys": null, + "defaultValue": null, + "defaultValueFromInput": null, + "description": "Service key for SAP Authorization and Trust Management Service" + }, + "excludeUsers": { + "type": "array", + "sensitive": false, + "required": false, + "minSize": null, + "maxSize": null, + "minValue": null, + "maxValue": null, + "allowedValues": null, + "allowedValuesFromInputKeys": null, + "suggestedValues": null, + "suggestedValuesFromInputKeys": null, + "defaultValue": "[]", + "defaultValueFromInput": null, + "description": "List of users who should not be removed even if they are inactive" + } + }, + "outputKeys": { + "inactiveUsers": { + "type": "array", + "sensitive": false, + "description": "List of the detective inactive users based on the specified input parameters" + } + }, + "tags": { + "feature:logs": "", + "feature:priority": "medium" + } + } + ] +} \ No newline at end of file