Hello everyone, is there a setting in ISAM to automatically delete users who haven't logged in, for example, in the last 90 days or so?

HI 

There is no such setting in ISAM. Moreover, this is more related to the data source that ISVA users are in (whether its AD , SDS) and then along with Organizational Identity Policy (whether such accounts to be left in inactive state or removed) ( solutions like IGI,ISIM,SDI) could be leveraged to act on accounts which haven't logged in for a specific period of time.

There are a few ways to gather the last login time, depending on your directory, to log the last login time:

• https://www.ibm.com/docs/en/sva/10.0.7?topic=stanza-enable-last-login
• https://www.ibm.com/docs/en/sva/10.0.7?topic=stanza-provide-last-login

My understanding with storing the login time with the ldap enable last login option is that the timestamp gets recorded on the secUser object in the ISVA LDAP registry.  Hence, if you are using basic user mode (and don't have registry objects) this won't work for you.  If you use a different directory type (basic user, federated, whatever) then you'd need to consider an EAI / InfoMap or LUA transform rule to record this last login time somewhere (LDAP, database, etc.).

That is one piece of the puzzle, your next piece is deleting / disabling / denying the users.  Deleting or disabling are something an IDM such as ISIM or some home cooked system would need to perform, as that is account maintenance.  You can, however, deny based on the date using an EAI / AAC flow and/or LUA transformation or something else you can make logic decisions based on that stored data.  I brought this up in the thread on here about 10.0.7.0 new features as the developers had pointed out the LUA transform rules have more hooks in v10.0.7.0, and LUA can write to the LDAP.  In theory you could cook up a solution using LUA to do all of this.  Or, you could use EAI and it would give more flexibility such as writing the timestamp to a database.

If you do need to disable or delete the accounts, then you'll need something outside of an ISVA solution (I mean I guess technically you may be able to disable / delete when the login using an EAI, but that's probably not what anyone wants).