Membership lifecycle
Starting with version 1.6.0, IAM introduces support for basic account life cycle management.
It’s now possible to set an expiration time for IAM accounts. Once the account expires, login for the account is disabled.
IAM can be configured to remove expired accounts after a configurable grace period.
Account end time settings
By default, accounts in IAM do not have an end time set, i.e. the lifetime is unbounded.
A default account validity period (e.g., 12 months) can be configured and will be set for users at registration time.
The relevant settings are managed by placing lifecycle
directives in a
custom configuration
file:
lifecycle:
account:
# 0 means unbounded validity
account-lifetime-days: 0
# When true, the end time cannot be changed from IAM APIs and dashboard
read-only-end-time: false
expired-account-policy:
# Accounts will be suspended after 7 days since expiration
suspension-grace-period-days: 7
# When false, expired accounts are not removed
remove-expired-accounts: true
# Accounts will be removed after 30 days since expiration
# (if remove-expired-accounts is true)
removal-grace-period-days: 30
expired-accounts-task:
# Internal cron schedule for the lifecycle task.
# Default setting is every 5 mins
cron-schedule: 0 */5 * * * *
# To disable automatic account expiration set this to false
enabled: true
Last modified February 23, 2023: Cosmetic fix (643b80e)