Revoking Users with the ILST

The ILST has four settings related to revoking users from your digital workplace, found in the <ApplicationSettings> area of the config file. Each one can have a value of true or false. By default, no one will be revoked from the workplace.

<RevokeIfNotInSearch>true</RevokeIfNotInSearch>

Turning on this setting means that if the user has been previously synced into Igloo, and is in Igloo and not in the AD, they will be revoked.  As the top-level rule, if this setting is false, the other rules will not take effect. 

<RevokeNonDelegateUsers>true</RevokeNonDelegateUsers>

This setting allows the tool to revoke non-delegate users. Users become delegated when they log in through LDAP authentication or Single Sign-On. Turning on this setting means that if the user is not delegated, has been previously synced into Igloo, and is in Igloo and not in the AD, they will be revoked

<RevokeAdmins>false</RevokeAdmins>

With this setting turned off, the ILST will never revoke workplace administrators, even if the other conditions instruct it to. It's recommended to leave this setting set to false, but it can be activated to have the AD be the final authority on all membership in the workplace. 

<RevokeUsersNotManagedByLdap>true</RevokeUsersNotManagedByLdap>

Every user added or updated by the ILST is managed by LDAP, and the sync will be able to govern them using the other revoking settings. When this setting  is activated, the ILST will also be able to govern users created manually through invitations or the Bulk Member Upload, as well as users automatically created through Single Sign-On.

Combining revoke instructions

This table presents some common user conditions, and which revoking setting will apply to them.