=====Account protection system=====
{{tag>account protection}}
The goal is to ensure that even if a role is removed from a user account, this account is not immediately removed from the end system.
As long as there is at least one role assigned to the account (or put differently, the last remaining role still hasn’t been removed), the IDM account is marked as **Protected**.
If the user is assigned another role for the same system (account) (s/he has the same generated UID in AccAccount), then the **Protected** mark is removed from the IDM account (so the account returns to its original state).
==== Setting up account protection ====
Activating account protection from deletion is performed in the provisioning mapping in the IDM system.
**Two items are available**:
* **Account protection (before delete)** - it is activated by ticking the select box.
* **Length of protection interval (in days)** - defines the length of the protection interval. After the end of the retention period, the account will be cleared in both IDM and the end system. **If the value is empty, the protection interval is infinite.**
For an account that is in a protected mode, **provisioning** is not performed.
==== Removing accounts with expired protection interval ====
This is done by the [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#accountprotectionexpirationtaskexecutor|AccountProtectionExpirationTaskExecutor]]. You must [[tutorial:adm:how_to_work_with_task_scheduler|create]] and [[tutorial:adm:create_and_configure_trigger|schedule]] this task.
Direct account deletion (AccAccount) can be prevented only if it is at once in the ** Protected ** state and within the valid protection interval!
You can **manually delete an account** (AccAccount) even if the **system** is marked as **protected**. Deletions can be performed over accounts that are not in the protected interval (i.e. they are neither "Protected" nor valid). This account deletion **only** causes switch the account to the **protection**. All identity account relations will be deleted until last one.
Accounts marked as **protected** can be removed manually. You need to set the end-of-protection date on the account detail to the past, after which you can delete the account by bulk operation on the accounts table.
On **identity delete** is used **force delete**. That removes relationships between identity and account, event if the AccAccount is in the protected mode. Only identity-account relations are removed. The account on system (AccAccount) **is not removed**! From this moment on, AccAccount **orphan** is without any relations on identity. When a **new** identity with same system **identifier** is created, this protected account will be **linked to it**!
==== Limitations: ====
It is possible to change the values of the mapped system attributes, depending on whether the account is ** Protected ** (as described for the ** DN ** attribute). ** This dynamic attribute should not be marked as "identifier" **. Such being the case, the protected account will not be paired (according to the newly generated UID), and the result will be **a new account ** (not returning back to the original unprotected state)!
Presently, account protection resolves only accounts assigned to **Identity**.