cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Automatically delete old users

tarjei_utnes
Organizer

Hi,

With the introduction of GDPR, the requirement to provide "delete me" functionality becomes important.

In this regard I was wondering if there is a possibility to automatically remove inactive users from Dynatrace?

17 REPLIES 17

gerald_
Inactive

Hi @Tarjei U.

You can only manually delete users in Dynatrace. We do not have an automatic delete feature.

Gerald

Lasher
Participant

Is there a simple way to at least show the last logon date/time of a user and we can take it from there...?

tarjei_utnes
Organizer

I echo Brian Ls question, is there a way of getting last login atleast?

gerald_
Inactive

Hello, we do not have this information in the product.

Why do you need the last login date/time?

So we could delete any older than XX days - typical AUDIT requirements.

And it also becomes quite pertinent with regards to GDPR

Not a GDPR expert (is anyone?) but in what way would that apply to internal employees which are the only people I expect would be logging in to Dynatrace?

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:


  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
  3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
  4. the personal data have been unlawfully processed;
  5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  6. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

I'm clear on that but would suspect this is more for a customer -> service provider relationship as opposed to an employee->employer relationship. I would expect an employer has the right to keep records on their employment history. Note that I'm just curious as I've never heard anyone applying GDPR regs to employees. I did find this though so it does seem it cover it to some extent though the details are beyond me: https://www.taylorwessing.com/globaldatahub/article-changes-to-employee-data-management-under-the-gdpr.html

There's the line that employees as data subjects have "the right to be forgotten under certain circumstances" which is quite vague.

Though even in this case first as it's really just a name and probably a company email address and second as there is always the option to delete an account if requested so I'm not sure I would agree that it would be necessary for GDPR compliance but agree it would be nice to have just as a matter of good housekeeping. Again a disclaimer I'm not at all involved in the decisions around this but am just interested.

We have an actual case where we are going to integrate Dynatrace with a companys AD using SAMLv2. In this case, the comapany asked us

a) Why Dynatrace needs to keep a local copy of the user at all

b) If there is a possibility of autodeleting a user.

So their though process is as follows. Employee Alice quits the company. Her user account in the company will follow the normal processed, and be removed from the AD in due time. However the user in Dynatrace will not. And according to them this is not in line with GDPR.

Don't know about SaaS, but you can delete users and groups (also create them) using REST API in Dynatrace Managed. I'm pretty sure Dynatrace has similar API for SaaS, but it's probably not public.

Typically enterprise customers do have an IAM tool, which handles such cases and creates/deletes users in applications. When someone quits a company, the IAM tool is in charge of deactivating and deleting accounts.
I've never seen a tool which would "autodelete" users if they cannot be found anymore in AD/LDAP.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

gerald_
Inactive

@Tarjei U. Our current SAML implementation is EAP and not feature-complete. There are know limitations like a user needs to be created in Dynatrace.

We are aware of this and working on a brand new SAML implementation which resolves the two issues you mentioned.

Gerald

Will this apply to AppMon, and possibly DCRUM in the future as well?

Hi Gerald,

Can you give me an update on the implementation of this feature? We have a customer who is asking the same question and it's very critical for the implementation plan.

Thanks in advance!



torsten_granli2
Contributor

This question becomes very critical, and it is important to enable some sort of functionality for all tools in order to comply with GDPR regulations when it comes to removal of user accounts. A local copy of a user containing mail adresse is as far as I can understand personal data. Especially when mail adress i directly linked with the name and a user ident, which they are, more often than not. As Tarjei mentions the user also has the right to removal of their personal data.

We do have service providers as customers, which makes it necessary to be able to automatically remove users from the various Dynatrace tools. I think Tarjei is asking for "last login" in order to be able to identify which users are inactive, and thus should be removed. This grouping of users I imagine could be a possible methodology for group deleting users that aren't active.

Obviously this would in some scenarios bring up another important functionality regarding re-enablement of users deleted, that needs handling... Again, without being in breach of GDPR regulations.

acurry583
Newcomer

Hi! It is 2023 and I am looking for an update on this feature for compliance. Is there an auto-delete or "user not logged in within 30 days" check that can delete the user? The search function brought me to this thread from 2018.

DanielS
DynaMight Guru
DynaMight Guru

You can resolve this using the Dynatrace Account Management API.See instructions on how to get the Oath2 token in the link.

  1. You can use the Lists all users of an account request and use the lastSuccessfulLogin field of the answer.
    DanielS_0-1701289227758.png
  2. With a small script to get the current date and compare it with the date from the field you do the math to obtain if last successful login is greater than XX days. If yes you can capture the email field.
  3. With the email field you can call the Removes a user from an account request and use the email as the required parameter.
  4. Cron this script daily and you are done.
The true delight is in the finding out rather than in the knowing.

Featured Posts