Our company is in the early stages of our Samanage Inventory deployment. We will be managing users via SSO using OneLogin, leveraging OneLogin both for authentication and provisioning. I've noticed some inconsistencies with the actions that are taken when a user is "deprovisioned" that I'd like to get some thoughts and/or best practice suggestions on how to handle.
First, a bit of relevant background information. Because we are only using the Inventory component, only Samanage admins will be logging into the portal. The vast majority of users are being provisioned in Samanage essentially only for the purpose of assignment by admins and will never log into the portal. This has the unfortunate side effect that virtually all of the users that get provisioned never end up activated. Herein lies the inconsistency when a user is deprovisioned. Here's the behavior I'm seeing:
- If a provisioned user account had been activated, deprovisioning the user causes their Samanage account to be disabled.
- If a provisioned user account had NOT been activated (as will be the case for most accounts), deprovisioning the user causes the Samanage account to be deleted completely.
A blog post from July 2013 suggests that disabling the user (as opposed to completely deleting the user) is the preferred course of action so that history data for that user remains intact. Unfortunately it appears that we may lose this historical data based on my observations noted above. Our Implementation Specialist was adamant that completely deleting a user wouldn't be a problem and did confirm that if an inactive user is completely deleted when assigned to an asset, the Owner field is just blanked out.
I'm not a big fan of this inconsistency because I suspect it will end up creating confusion in the future. It's also clear from that blog post that Samanage doesn't intend for user accounts to be deleted, but instead deactivated. I see two possible solutions, but our Implementation Specialist has indicated that neither are possible:
- Provide a way to force a provisioned account to be activated. This would be the preferred solution in my opinion, but we've been told that this is not possible.
- Allow a previously activated user account to be completely deleted. This would at least keep the behavior consistent between activated and unactivated user accounts.
Any other options that I'm missing? Thanks!