IBM Cloud Docs
Identifying inactive identities

Identifying inactive identities

Identities are considered inactive when they haven't logged in or been in use in 30 days. You can review which users, service IDs, trusted profiles, and API keys in your account are inactive. You might want to remove inactive identities if they are no longer needed. Removing access for inactive identities can reduce the risk of unauthorized access to your IBM Cloud resources and help you manage access more efficiently. To manage inactive identities, you must be assigned the Administrator role on the IAM Identity Service.

When you delete an identity from the table, for example a user, and click Update report, it takes a few minutes for a new report to exclude the deleted user.

Managing inactive identities in the console

To view inactive identities in the console, complete the following steps:

  1. In the IBM Cloud console, click Manage > Access (IAM), and select Inactive identities.

  2. Click Update report to view the most recent report of the inactive identities in your account.

    Only the most recent report is available. Reports older than a day are deleted when generating a new report.

  3. Select a tab to review a list of inactive identities.

  4. To delete inactive identities that are no longer in use, click the Actions icon Actions icon > Remove.

Before you delete an identity, confirm that they are inactive for at least 30 days.

To learn more about the implications of removing or deleting identities in your account, review the following documentation:

Managing inactive identities by using the API

To view inactive identities by using the IAM Identity Services API, complete the following steps:

  1. Get your account ID, which you'll need in later steps. Go to the Account settings page in the console to view your account ID. The account ID is a 32 character, unique account identifier.

  2. Trigger the inactive identities report for your account.

    curl -X POST 'https://iam.test.cloud.ibm.com/v1/activity/accounts/ACCOUNT_ID/report' -H 'Authorization: Bearer TOKEN' -H 'Content-Type: application/json'

    CreateReportOptions createReportOptions = new CreateReportOptions.Builder()
 .accountId(accountId)
 .build();

Response<ReportReference> response = service.createReport(createReportOptions).execute();
ReportReference reportReference = response.getResult();

reportReferenceValue = reportReference.getReference();

System.out.println(reportReferenceValue);

    const params = {
accountId: accountId,
type: 'inactive',
duration: '120',
};

try {
const res = await iamIdentityService.createReport(params);
reportReference = res.reference;
console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
console.warn(err);
}

    create_report_response = iam_identity_service.create_report(
account_id=account_id,
type="inactive",
duration="120",
).get_result()

print(json.dumps(create_report_response, indent=2))

    createReportOptions := iamIdentityService.NewCreateReportOptions(accountID)
createReportOptions.SetType("inactive")
createReportOptions.SetDuration("120")

report, response, err := iamIdentityService.CreateReport(createReportOptions)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(report, "", "  ")
fmt.Println(string(b))

  3. Get the inactive identities report.

    curl -X GET 'https://iam.test.cloud.ibm.com/v1/activity/accounts/ACCOUNT_ID/report/REFERENCE' -H 'Authorization: Bearer TOKEN' -H 'Content-Type: application/json'

    GetReportOptions getReportOptions = new GetReportOptions.Builder()
   .accountId(accountId)
   .reference(reportReferenceValue)
   .build();

Response<Report> response = service.getReport(getReportOptions).execute();
Report fetchedReport = response.getResult();

System.out.println(fetchedReport);

    const params = {
accountId: accountId,
reference: 'latest',
};

try {
const res = await iamIdentityService.getReport(params);
console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
console.warn(err);
}

    get_report_response = iam_identity_service.get_report(
account_id=account_id, reference="latest"
).get_result()

print(json.dumps(get_report_response, indent=2))

    getReportOptions := iamIdentityService.NewGetReportOptions(accountID, "latest")

report, response, err := iamIdentityService.GetReport(getReportOptions)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(report, "", "  ")
fmt.Println(string(b))

    Take note of the IAM IDs for inactive users.

  4. To delete inactive users that are no longer in use, call the User Management API.

    curl -X DELETE https://user-management.cloud.ibm.com/v2/accounts/987d4cfd77b04e9b9e1a6asdcc861234/users/IBMid-1000000000 -H 'Authorization: Bearer <IAM_TOKEN>' -H 'Content-Type: application/json'

    RemoveUserOptions removeUserOptions = new RemoveUserOptions.Builder()
.accountId(accountId)
.iamId(deleteUserId)
.build();

Response<Void> response = userManagementService.removeUser(removeUserOptions).execute();

    const params = {
accountId: accountId,
iamId: deleteUserId,
};

try {
await userManagementAdminService.removeUser(params);
} catch (err) {
console.warn(err);
}

    response = user_management_admin_service.remove_user(
account_id=account_id,
iam_id=delete_user_id,
).get_result()

print(json.dumps(response, indent=2))

    removeUserOptions := userManagementService.NewRemoveUserOptions(
accountID,
deleteUserID,
)

response, err := userManagementAdminService.RemoveUser(removeUserOptions)
if err != nil {
panic(err)
}

    Before you delete an identity, confirm that they are inactive for at least 30 days.

To learn more about the implications of removing or deleting identities in your account, review the following documentation: