This content originally appeared on DEV Community and was authored by hediyeh kianmehr
Overview
This guide explains the process of suspending user accounts in OpenIAM.
Suspension is a temporary restriction on access, without fully deactivating or deleting the user.
It is typically used in scenarios such as investigations, extended leave, or security risk management.
Key objectives:
- Apply suspension according to policy.
- Temporarily block access while keeping the user identity intact.
- Ensure suspension is logged in security/audit logs.
- Support reactivation when conditions are cleared.
Input:
- User identity information (login ID, employee ID, or email).
- Business/HR policy requiring suspension.
- Managed system configuration for enforcement.
Output:
- User status set to Suspended.
- Active sessions terminated.
- Suspension event recorded in logs.
- Access revoked until reactivation.
Audience: IAM administrators, compliance officers, and IT security staff.
Suspension Policy
Suspension is governed by organizational rules and IAM policies.
Typical use cases for suspension:
- Employee on long-term leave.
- Pending investigation (HR or security).
- Temporary security breach suspicion.
- Access pause due to policy violation.
Policy guidelines:
- Suspension should not delete roles or entitlements (so they can be restored).
- HR/Compliance must authorize suspensions.
- Audit trail must capture all suspension events.
- Only IAM Administrators can perform suspensions.
Suspension Execution
Steps
- Login to OpenIAM Administration Console.
- Navigate to Administration → User Management → Search User.
- Select the user account.
- Change status to Suspended.
- Save changes.
- Navigate to Session Management and terminate any active sessions.
Checklist
- User account status is now Suspended.
- Active sessions terminated.
- Suspension request recorded in logs.
- Notification sent to HR/Compliance if required.
Security Logs
Suspension actions must be fully auditable.
Steps
- Navigate to Administration → Audit Log Viewer.
- Search for the user by login ID or employee ID.
- Confirm that Suspend User action is recorded.
- Export logs if required for compliance or investigation.
Checklist
- Suspension event recorded.
- Session termination event captured.
- Role/entitlement state preserved (not deleted).
- Timestamp and administrator ID logged.
Use Cases
Use Case 1: Employee on Leave
- HR initiates request to suspend the account.
- IAM administrator applies suspension.
- User reactivated upon return.
Use Case 2: Security Investigation
- Security team requests suspension of a suspected user.
- IAM administrator suspends immediately.
- Logs exported for forensic analysis.
Use Case 3: Policy Violation
- Compliance identifies a violation.
- User suspended while investigation proceeds.
- Access restored or offboarding triggered later.
Troubleshooting
| Issue | Cause | Resolution |
|---|---|---|
| User still able to log in | Suspension not synced to target system | Check connector logs and retry sync |
| Session not terminated | Session service not triggered | Terminate sessions manually in console |
| No audit log for suspension | Logging disabled or misconfigured | Enable audit logging and retry |
| Roles removed unintentionally | Policy misapplied | Update policy to preserve entitlements |
| Reactivation not possible | Incorrect status mapping | Correct mapping in managed system config |
Logs to Check
- Audit Log Viewer (Admin Console)
- Connector Logs (provisioning engine)
- Application logs in
/opt/openiam/logs/
Checklist
- Suspension confirmed in OpenIAM.
- Target systems reflect suspended state.
- Logs reviewed for compliance.
- Any failures retried or escalated.
Appendix
This content originally appeared on DEV Community and was authored by hediyeh kianmehr