Membership lifecycle
Starting with version 1.6.0, IAM introduces support for basic account life cycle management.
It’s now possible to set an expiration time for IAM accounts. Once the account expires, login for the account is disabled.
IAM can be configured to remove expired accounts after a configurable grace period.
Account end time settings
By default, accounts in IAM do not have an end time set, i.e. the lifetime is unbounded.
A default account validity period (e.g., 12 months) can be configured and will be set for users at registration time.
The relevant settings are managed by placing lifecycle
directives in a
custom configuration
file:
lifecycle:
account:
account-lifetime-days: 365 ## 0 means unbounded validity
read-only-end-time: false ## When true, the end time cannot be changed from IAM APIs and dashboard
expired-account-policy:
suspension-grace-period-days: 7 ## Accounts will be suspended after 7 days since expiration
remove-expired-accounts: false ## When false, expired accounts are not removed
removal-grace-period-days: 30 ## Accounts will be removed after 30 days since expiration (if remove-expired-accounts is true)
expired-accounts-task:
cron-schedule: 0 */5 * * * * ## spring cron schedule for the lifecycle task (default setting is every 5 mins)
enabled: true ## To disable automatic account expiration set this to false
Last modified September 17, 2021: Fix some broken references (881a38a)