Expiration Policies define if, how, and when a user account is considered expired and deleted from the system. At the Org level, expiration policies can be applied globally to all members of a user class or to individual users.

To access user account expiration policies

Sign on as Org Admin. Select SETTINGS > Security Policies > User Auth > Expiration. The Settings (Security) page opens

Expiration Policies Setting Page

The Expiration Policies setting page includes:

  • Edit User Class Expiration Policies allows the administrator to assign various expiration policies to each of the four available user classes. By default, no policy is selected for each user class. Existing expiration policies can be selected for each user class in that class' drop-down menu. Clicking the Change Policy button for a specific user class will make the expiration policy assignment change for that user class.

    If an expiration policy is assigned (or unassigned) to a user class, a confirmation page will appear asking the administrator if they wish to apply the new policy to all existing members of that user class, or leave existing policies in place and simply make the change for all future members of that user class. The administrator may also cancel the operation entirely from the confirmation page.

  • Expiration Policies lists the expiration policies available in the organization. Each policy may be edited, and those policies which are not currently selected as a default user class policy may be deleted. New profiles may also be added. Clicking the Edit link opens the Edit Expiration Policy page; clicking the Add New Policy link opens the Add Expiration Policy page.
    Note: If an expiration policy that is currently assigned to one or more user accounts is deleted, those users will be reset to use the default policy for their user class (or no policy if - None - is selected).
  • Expiration Settings is a setting for deletion of expired accounts. The setting lets you set whether and when, an expired account should be deleted. The default value is 7 (seven days after a user account is marked as Inactive, the account will be deleted). You can change the time period, or you can leave this entry without a value. (No value indicates never delete inactive user accounts).
    • If you select the Delete user home folders and all subfolders upon user deletion check box, the Home folder owned exclusively by an expired user (including all subfolders) will be removed.
    • If you do not select the Delete user home folders and all subfolders upon user deletion check box, the user's home folder will be retained to avoid any data loss. You can manually delete the home folder or set folder expiration rules to remove home folders associated with an expired account.

Edit Expiration Policy or Add Expiration Policy

Each expiration policy must have a name, and can optionally have a description. The policy name is listed in both sections of the expiration policy settings page. A name for a new expiration policy should be chosen to convey the expiration settings of the given policy. Names such as Expire After One Signon, or Expire Thirty Days After Creation are good choices. Names such as Policy 1, or User Policy are less desirable. The policy name can be changed after creation without affecting the users assigned to that profile.

The options available to each expiration policy determine how users who are assigned this policy will be expired from the system, and how, if at all, they will be notified of impending expiration or the expiration itself. Several different expiration options may be selected in a single policy, and in those cases, accounts assigned the policy will be expired by the first applicable method.

Expiration policy options:

  • Expire after (specific date): Causes a user account to be expired after the selected date.
  • Expire X days after creation: Causes a user account to be expired a configurable number of days after the creation date of the account.
  • Expire X days after last activity: Causes a user account to be expired a configurable number of days after the last successful sign-on to the account occurred.
    • Receiving packages counts as "activity": Causes a user account to be expired a configurable number of days after the last package was sent to the account.
  • Expire after X successful signons: Causes a user account to be expired after a configurable number of successful sign-ons to the account.
  • Warn X days before expiration: Sends an email notification to a user account a configurable number of days before the account is due to be expired.
  • Notify user when their account expires: Sends an email notification to the user account upon expiration of that account, notifying them of the expiration.
  • Delete user home folders and all subfolders upon user deletion: When selected, the Home folder owned exclusively by an expired user (including all subfolders) will be removed, permanently. Data marked for deletion also includes folders shared with others using specific access permissions --also referred to as Secure Folder Sharing.
    Note: If an expired user does not own a folder (for example, it is assigned as the Home folder to a current user or group), such as a team folder, then this folder will not be deleted.

Expiration Results

Actual expiration of a user account happens in two steps.

First Step: Status Change

Upon determining that an account is expired, the MOVEit Transfer nightly scheduled task will change the account status to Inactive (account expired). This prevents the user from signing on. If the expiration policy allows it, a notification email will be sent to the expired user informing them of their status. Notifications will also be sent to interested administrators and GroupAdmins informing them of the account expiration.

For the next seven days (or for the number of days set in Expiration Settings) following expiration of the account, administrators will have an opportunity to undo the expiration by changing the user's status back to Active. This seven-day window is provided to help prevent inadvertent and unwanted expirations. Administrators can also set the Expiration Setting to 0, and the inactive accounts will not be deleted.

Second Step: Account Deletion

The second expiration step happens seven days after expiration when the user account is finally deleted. Once this has happened, it is no longer possible to recover the account.

The user's home folder is retained, unless the Delete user home folders checkbox is checked.