20 Apr 2018 06:38 AM - last edited on 17 Oct 2022 02:53 AM by Ana_Kuzmenchuk
With the introduction of GDPR, the requirement to provide "delete me" functionality becomes important.
In this regard I was wondering if there is a possibility to automatically remove inactive users from Dynatrace?
Hi @Tarjei U.
You can only manually delete users in Dynatrace. We do not have an automatic delete feature.
Is there a simple way to at least show the last logon date/time of a user and we can take it from there...?
I echo Brian Ls question, is there a way of getting last login atleast?
So we could delete any older than XX days - typical AUDIT requirements.
And it also becomes quite pertinent with regards to GDPR
Not a GDPR expert (is anyone?) but in what way would that apply to internal employees which are the only people I expect would be logging in to Dynatrace?
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
I'm clear on that but would suspect this is more for a customer -> service provider relationship as opposed to an employee->employer relationship. I would expect an employer has the right to keep records on their employment history. Note that I'm just curious as I've never heard anyone applying GDPR regs to employees. I did find this though so it does seem it cover it to some extent though the details are beyond me: https://www.taylorwessing.com/globaldatahub/article-changes-to-employee-data-management-under-the-gdpr.html
There's the line that employees as data subjects have "the right to be forgotten under certain circumstances" which is quite vague.
Though even in this case first as it's really just a name and probably a company email address and second as there is always the option to delete an account if requested so I'm not sure I would agree that it would be necessary for GDPR compliance but agree it would be nice to have just as a matter of good housekeeping. Again a disclaimer I'm not at all involved in the decisions around this but am just interested.
We have an actual case where we are going to integrate Dynatrace with a companys AD using SAMLv2. In this case, the comapany asked us
a) Why Dynatrace needs to keep a local copy of the user at all
b) If there is a possibility of autodeleting a user.
So their though process is as follows. Employee Alice quits the company. Her user account in the company will follow the normal processed, and be removed from the AD in due time. However the user in Dynatrace will not. And according to them this is not in line with GDPR.
Don't know about SaaS, but you can delete users and groups (also create them) using REST API in Dynatrace Managed. I'm pretty sure Dynatrace has similar API for SaaS, but it's probably not public.
Typically enterprise customers do have an IAM tool, which handles such cases and creates/deletes users in applications. When someone quits a company, the IAM tool is in charge of deactivating and deleting accounts.
I've never seen a tool which would "autodelete" users if they cannot be found anymore in AD/LDAP.
@Tarjei U. Our current SAML implementation is EAP and not feature-complete. There are know limitations like a user needs to be created in Dynatrace.
We are aware of this and working on a brand new SAML implementation which resolves the two issues you mentioned.
Will this apply to AppMon, and possibly DCRUM in the future as well?
Can you give me an update on the implementation of this feature? We have a customer who is asking the same question and it's very critical for the implementation plan.
Thanks in advance!
This question becomes very critical, and it is important to enable some sort of functionality for all tools in order to comply with GDPR regulations when it comes to removal of user accounts. A local copy of a user containing mail adresse is as far as I can understand personal data. Especially when mail adress i directly linked with the name and a user ident, which they are, more often than not. As Tarjei mentions the user also has the right to removal of their personal data.
We do have service providers as customers, which makes it necessary to be able to automatically remove users from the various Dynatrace tools. I think Tarjei is asking for "last login" in order to be able to identify which users are inactive, and thus should be removed. This grouping of users I imagine could be a possible methodology for group deleting users that aren't active.
Obviously this would in some scenarios bring up another important functionality regarding re-enablement of users deleted, that needs handling... Again, without being in breach of GDPR regulations.