Note:

Delete Inactive Users from OCI IAM Identity Domains Based on UserStatus and LastSuccessfulLoginDate Using Python

Introduction

Oracle Cloud Infrastructure (OCI) is a cloud platform capable of providing a range of cloud services including storage, networking and infrastructure. Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) is a service that enables you to manage access to OCI resources. It provides authentication and authorization for users and groups.

Deleting inactive users based on their last successful login date in OCI IAM Identity Domains can be particularly helpful in the context of OCI’s per-user pricing model for several reasons:

To implement this process effectively, below python snippet can be used to automate the identification and deletion of inactive users based on their last successful login date and active/inactive status. By regularly running such scripts, you can maintain a lean and secure IAM environment while optimizing your costs in OCI.

Audience

IAM professionals and administrators.

Objective

Delete users based on user status and lastSuccessfulLoginDate from OCI IAM Identity Domains using the REST API with Python.

Prerequisites

Task 1: Create a confidential application in OCI IAM Identity Domains

Follow the Oracle Identity Cloud Service: First REST API Call to create a confidential application and retrieve client ID and client secret, which can then be used to perform a REST API call to OCI IAM for retrieving Access Token and subsequent API endpoints.

Task 2: Set up the config.json file

Set up the config file on your local machine. The config.json file has information about the Identity Domain URL, Client ID and Client Secret which is used to generate the Access Token.

{
"iamurl"         : "https://idcs-###########.identity.oraclecloud.com",
"client_id"      : "#######################",
"client_secret"  : "#######################"
}

Task 3: Get the Access Token

Once the config.json file is in place, the first thing you need to do is to generate the Access Token, which can be used to make further REST API calls to the OCI IAM endpoints.

In the below code snippet, the function get_encoded takes Client ID and Client Secret as arguments and returns the base64-encoded string. This encoded string is further passed as an argument to the function get_access_token as an Authorization header, to obtain the Access Token by performing a POST request.

#get base64 encoded
def get_encoded(self,clid, clsecret):
    encoded = clid + ":" + clsecret
    baseencoded = base64.urlsafe_b64encode(encoded.encode('UTF-8')).decode('ascii')
    return baseencoded

#get access token
def get_access_token(self,url, header):
    para = "grant_type=client_credentials&scope=urn:opc:idm:__myscopes__"
    response = requests.post(url, headers=header, data=para, verify=False)
    jsonresp = json.loads(response.content)
    access_token = jsonresp.get('access_token')
    return access_token

#print access token
def printaccesstoken(self):
    obj = IAM()
    encodedtoken = obj.get_encoded(clientID, clientSecret)
    extra = "/oauth2/v1/token"
    headers = {'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
               'Authorization': 'Basic %s' % encodedtoken, 'Accept': '*/*'}
    accesstoken = obj.get_access_token(idcsURL + extra, headers)
    return accesstoken

Task 4: Handle a batch of user information (lastSuccessfulLoginDate, userStatus) to clean-up users

We have the access token, using which we can make further REST API calls to different OCI IAM Identity Domains REST endpoints. The code snippet below shows how we are making a GET request with necessary headers and parameters to the /admin/v1/Users endpoint, in order to retrieve the total number of users and then calculate the number of iterations needed, based on the total number of results and the count per request.

Task 5: Use the script in the OCI Cloud Shell

Once the script is ready, it can be easily executed on the local machine (with Python Installed) or on any IDE that supports Python development. We are using OCI Cloud Shell to run the script and get the desired report.

  1. Log in to the OCI Console, open the Cloud Shell from the top right corner of the screen and then upload the Python script and config.json file.

    Image 1

    Image 2

    Image 3

  2. Execute python DeleteUser_PriorCheck_InactivePeriod60days_IsAdmin.py .

    Note: The DeleteUser_PriorCheck_InactivePeriod60days_IsAdmin.py is the Python script developed using above code snippets.

Acknowledgments

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.