This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

user suspend workflow if archived first

Posted on 06-14-2023 09:15 AM
MioG663783
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I'm following up on an administration question that came up for our organization.  The online help content doesn't state this explicitly. 

We have users who were archived, but are not suspended.  The Admin UI allows active users to be suspended or archived, but an archived user cannot be suspended using UI.  Is there any supported method of directly suspending an already archived user?  We don't want to unarchive users to do this.  

This is a problem when we need to determine if a user is active, using LDAP.  The suspended LDAP attribute is the only value that's close to indicate if a user "active" but the UI doesn't require that attribute to be set to true for an inactive user.  

0 6 581
Topic Labels
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
b_gorsky1
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

Curious as to why you want to suspend an archived user? I believe once they are archived they can no longer use the account.

0 Likes

Posted on --/--/---- --:-- AM
MioG663783
Bronze 1
Bronze 1
In response to b_gorsky1
Reply posted on --/--/---- --:-- AM

Because "archived" is not stored as an LDAP accessible directory attribute for the user.  The only attribute which appears in LDAP is the "suspended" boolean value.  On the topic, the "suspended" attribute isn't listed in the user schema: https://support.google.com/a/answer/9188164 but both suspended and archived values exist in the API reference: https://developers.google.com/admin-sdk/directory/reference/rest/v1/users

0 Likes

Posted on --/--/---- --:-- AM
MioG663783
Bronze 1
Bronze 1
In response to b_gorsky1
Reply posted on --/--/---- --:-- AM

The idea is to archive offboarded users, but to properly detect a user as offboarded, only the suspended attribute is usable via LDAP.  It would follow that the user has to be suspended first, then archived.  The obstacle is once a user is archived, they cannot also subsequently be suspended - for what's, in my opinion, no good reason.  

0 Likes

Posted on --/--/---- --:-- AM
b_gorsky1
Silver 2
Silver 2
In response to MioG663783
Reply posted on --/--/---- --:-- AM

I understand.

0 Likes

Posted on --/--/---- --:-- AM
MioG663783
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Clarifying the question:

Is there any supported method of directly suspending an already archived user?  The Admin UI doesn't allow this.  Can we achieve this via LDAP or API?

0 Likes

Posted on --/--/---- --:-- AM
tangerinehuge
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I assume you found the answer to this by now but in case anyone else is wondering you can accomplish this via GAMADV-XTD. Here's how to do it with a single user and to all archived but non-suspended users in the domain.

Single user:

gam update user user@domain.com suspended on

All archived non-suspended users:

gam print users query "isSuspended=False isArchived=True" | gam csv - gam update user ~primaryEmail suspended on
0 Likes
Top Labels in this Space
Top Solution Authors
View all