User management and audit logs

Deleting and disabling external IDP users

External IDP users are listed along with the basic users, and the external IDP users can be deleted in the same way as regular basic users.

However, as long as the external IDP is still configured in the XProtect VMS and the external IDP user is still enabled in the external IDP, it will not have any effect to delete an external IDP user.

The external IDP user will simply be added automatically again the next time the user logs in to the XProtect VMS.

If it is necessary to block an external IDP user from logging in to the XProtect VMS while the user still exists and is enabled in the external IDP, the external IDP user can be blocked from logging in to the XProtect VMS by changing the user’s status from ‘Enabled’ to ‘Locked Out’

Audit logs

The audit logs added for actions done by the external IDP users are the same as for the regular Windows AD or basic users.

Even though claims have not been configured for the external IDP users or added to the XProtect VMS roles, and an external user has not yet been manually added to a role, this user will still be able to authenticate towards the external IDP. However, the XProtect VMS will deny access, because the user is not a member of a role or linked to a role via the claims and thus does not have any permissions for the XProtect VMS.

In this case, the audit log will state that login failed due to insufficient permissions.

Audit logs in XProtect Management Client - External IDP log in failed due to missing permissions