Automating Inactive User Cleanup in Reltio

Overview

This article explains how to manage and automate the cleanup of inactive users in Reltio. It covers supported approaches, available APIs, and recommended best practices.

Problem

Customers may need to regularly remove or manage users who have not logged into Reltio for a defined period (for example, 90 days). Manual cleanup can be time-consuming and error-prone, leading to the need for automation.

Solution Summary

• Automation using Reltio Integration Hub (RIH) Recipes is possible for user deactivation.
• There is no publicly documented API to delete users.
• The recommended approach is:
  • Use Reltio password policy for automatic deactivation
  • Use Recipes for reporting, monitoring, and notifications

Recommended Approach: Policy-Based Deactivation

What It Does

Reltio provides a built-in password policy that automatically disables users after a period of inactivity.

Configuration Example

{
  "passwordPolicy": {
    "inactivePeriodInDays": 90
  }
}

How It Works

• Based on the user’s last login date
• Users are disabled when they attempt to log in or generate a token after exceeding the inactivity threshold

API to Configure Policy

PUT {AUTH_URL}/oauth/customers/{customerId}/passwordPolicy

Why This Is Recommended

• Fully supported by Reltio
• No custom development required
• Lower risk and maintenance

Optional Enhancement: Use Recipes for Governance

Recipes can be used alongside the password policy to:

• Send notifications before users become inactive
• Generate reports of inactive users
• Track exceptions (for example, service or admin accounts)

Alternative Approach: Recipe-Based Automation (POC)

Overview

You can build a custom Recipe to:

1. Identify inactive users
2. Deactivate them using APIs

Important: This approach is custom and not officially supported by Reltio Customer Engineering.

Relevant APIs

Get All Users

GET https://auth.reltio.com/oauth/users

• Use lastLoginDate to determine inactivity

View User

GET https://auth.reltio.com/oauth/users/{username}

Update User (Deactivate)

PUT https://auth.reltio.com/oauth/users/{userName}

To deactivate a user:

"enabled": false

Security Audit Log Export

POST /audit/export

Supports filtering by:

• Username
• Event type
• Time range

Activity Log (Optional)

GET {TenantURL}/activities?filter=(equals(user,'<username>'))&max=2

Limitations:

• No direct “last login” field
• Default data window is limited
• Search results capped

Recipe Workflow (Deactivation Use Case)

1. Schedule Recipe
   • Run daily
2. Retrieve Users
   • Call Get Users API
3. Identify Inactive Users
   • Users with:
     • enabled = true
     • lastLoginDate older than defined threshold (e.g., 90 days)
4. Optional Validation
   • Cross-check with Activity Logs if needed
5. Prepare Full Payload
   • Retrieve full user object
   • Modify only the enabled field
6. Deactivate User

   • Set:

     "enabled": false

7. Send Notifications
   • Either:
     • Request approval before deactivation, or
     • Deactivate and send summary report

Important Considerations

User Deletion

• User deletion is not available via public API
• Must be performed manually through the Reltio Console

Update API Behavior

• The Update User API replaces the entire user object
• Always send the complete payload to avoid data loss

Activity Log Limitations

• Not ideal as the primary source for inactivity detection
• Use lastLoginDate from Get Users API instead

Permissions

• Ensure the Recipe service account has:
  • Admin privileges
  • Access to user management APIs

Exclusions

Maintain an allowlist for:

• Integration/service accounts
• Admin users
• Support accounts