Revoking Users with the ILST

Revoking Users with the ILST

The ILST has four settings related to revoking users from your digital workplace, found in the <ApplicationSettings> area of the config file. Each one can have a value of true or false. By default, no one will be revoked from the workplace.

<RevokeIfNotInSearch>true</RevokeIfNotInSearch>

Turning on this setting means that if the user has been previously synced into Igloo, and is in Igloo and not in the AD, they will be revoked.  As the top-level rule, if this setting is false, the other rules will not take effect. 

<RevokeNonDelegateUsers>true</RevokeNonDelegateUsers>

This setting allows the tool to revoke non-delegate users. Users become delegated when they log in through LDAP authentication or Single Sign-On. Turning on this setting means that if the user is not delegated, has been previously synced into Igloo, and is in Igloo and not in the AD, they will be revoked

<RevokeAdmins>false</RevokeAdmins>

With this setting turned off, the ILST will never revoke workplace administrators, even if the other conditions instruct it to. It's recommended to leave this setting set to false, but it can be activated to have the AD be the final authority on all membership in the workplace. 

<RevokeUsersNotManagedByLdap>true</RevokeUsersNotManagedByLdap>

Every user added or updated by the ILST is managed by LDAP, and the sync will be able to govern them using the other revoking settings. When this setting  is activated, the ILST will also be able to govern users created manually through invitations or the Bulk Member Upload, as well as users automatically created through Single Sign-On.

Combining revoke instructions

This table presents some common user conditions, and which revoking setting will apply to them. 


<Revoke if Not In Search><Revoke Non Delegated Users><Revoke Admins><Revoke Users Not Managed by LDAP>
User was synced, but is no longer in the ADRevoke


User was manually added to the communityDo nothingDo nothingDo nothingRevoke
User is an Administrator, but is no longer in the ADDo nothingDo nothingRevoke
User was synced, but has never logged in Do nothingRevoke


Viewed 117 times