=====Account protection system=====

{{tag>account protection}}

The goal is to ensure that even if a role is removed from a user account, this account is not immediately removed from the end system. 
As long as there is at least one role assigned to the account (or put differently, the last remaining role still hasn’t been removed), the IDM account is marked as **Protected**.

If the user is assigned another role for the same system (account) (s/he has the same generated UID in AccAccount), then the **Protected** mark is removed from the IDM account (so the account returns to its original state).

==== Setting up account protection ====

Activating account protection from deletion is performed in the provisioning mapping in the IDM system. 

**Two items are available**:
   * **Account protection (before delete)** - it is activated by ticking the select box.
   * **Length of protection interval (in days)** - defines the length of the protection interval. After the end of the retention period, the account will be cleared in both IDM and the end system. **If the value is empty, the protection interval is infinite.**

<note important>For an account that is in a protected mode, **provisioning** is not performed.</note>

==== Removing accounts with expired protection interval ====
This is done by the [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#accountprotectionexpirationtaskexecutor|AccountProtectionExpirationTaskExecutor]]. You must [[tutorial:adm:how_to_work_with_task_scheduler|create]] and [[tutorial:adm:create_and_configure_trigger|schedule]] this task.

<note tip>Direct account deletion (AccAccount) can be prevented only if it is at once in the ** Protected ** state and within the valid protection interval!</note>

<note tip>You can **manually delete an account** (AccAccount) even if the **system** is marked as **protected**. Deletions can be performed over accounts that are not in the protected interval (i.e. they are neither "Protected" nor valid). This account deletion **only** causes switch the account to the **protection**. All identity account relations will be deleted until last one.</note>

<note tip>Accounts marked as **protected**  can be removed manually. You need to set the end-of-protection date on the account detail to the past, after which you can delete the account by bulk operation on the accounts table.</note>

<note important>On **identity delete** is used **force delete**. That removes relationships between identity and account, event if the AccAccount is in the protected mode. Only identity-account relations are removed. The account on system (AccAccount) **is not removed**! From this moment on, AccAccount **orphan** is without any relations on identity. When a **new** identity with same system **identifier** is created, this protected account will be **linked to it**!</note>

==== Limitations: ====

<note warning>It is possible to change the values of the mapped system attributes, depending on whether the account is ** Protected ** (as described for the ** DN ** attribute). ** This dynamic attribute should not be marked as "identifier" **. Such being the case, the protected account will not be paired (according to the newly generated UID), and the result will be **a new account ** (not returning back to the original unprotected state)! </note>

<note important>Presently, account protection resolves only accounts assigned to **Identity**.</note>