Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / Stale Account Deactivation

Documentation

Stale Account Deactivation

arxsec-site / library/workflows/stale-account-deactivation/README.md

arxsec-site repo-root library/workflows/stale-account-deactivation/README.md

Automatically identifies stale Okta accounts that have not been used within a configurable threshold, sends a Slack approval request to the security team, and deactivates the account upon approval.

Maturity: L4+ (Governed and up)  ·  See the 5-level maturity model for where this workflow fits in your program.

Time Saved

~4 hours per month of manual identity review and cleanup.

Connectors

| Connector | Operations | Risk Level | |-----------|-----------|------------| | Okta | users:read | Low — read-only | | Okta | users:deactivate | High — disables user accounts | | Slack | chat:write, reactions:read | Low — HITL approval channel |

How It Works

  1. Query Okta for all active users.
  2. Filter users whose last login exceeds the staleness threshold (default 90 days).
  3. Post a Slack message to the designated approval channel listing stale accounts.
  4. Wait for an approver to react with a checkmark emoji.
  5. Deactivate approved accounts in Okta.
  6. Post a summary of actions taken back to Slack.

ARX Governance

Risk Classification

  • users:readLow. Read-only user enumeration.
  • users:deactivateHigh. Destructive action that disables user access.
  • chat:write / reactions:readLow. HITL channel communication.

HITL Gate Configuration

  • Operation: users:deactivate — requires approval before execution.
  • Channel: SLACK_APPROVAL_CHANNEL (configurable in arx.yaml).
  • Timeout: 24 hours. If no approval is received, the action is skipped.
  • Approvers: Members of the security-team Slack user group.

Policy Rules

  • users:readpermit — automated, no approval needed.
  • users:deactivateescalate — requires HITL approval via Slack.
  • chat:writepermit — notification only.
  • Batch deactivation of >10 accounts — deny — must be split into smaller batches.

Audit Trail

  • List of stale accounts identified with last login timestamps.
  • Approver identity, approval timestamp, and Slack message link.
  • Each deactivated account ID and confirmation status from Okta.
  • Full event log written to arx.audit_log.

> See arx.yaml for the full governance configuration.

Setup Instructions

  1. Register connectors in arx.yaml with valid Okta and Slack credentials.
  2. Set environment variables:
  • OKTA_DOMAIN, OKTA_API_TOKEN
  • SLACK_BOT_TOKEN, SLACK_APPROVAL_CHANNEL
  1. Adjust staleness_threshold_days in arx.yaml if 90 days is not appropriate.
  2. Deploy with arx deploy stale-account-deactivation.
  3. Verify the first run in dry-run mode: arx run stale-account-deactivation --dry-run.

Schedule

Runs on the 1st and 15th of each month at 09:00 UTC.