=====Account protection system=====

{{tag>account protection}}


====What is the account protection system?====

The goal is to ensure that even after removing the role assigned to the account by the user, this account is not immediately removed from the end system.
By the time the last role assigned to the account is removed, the IDM account will be marked as **Protected**.

If a user assigns a role that assigns the same account (he has the same generated UID in AccAccount) then the **Protected** mark is removed from the IDM account (so the account returns to its original state).

==== How can I use it? ====

Activating account protection before deletion is performed on provisioning mapping in the IDM system.
**Two items are available here**:
   * **Account protection (before delete)** - By ticking the protection will be activated.
   * **Length of protection interval (in days)** - defines the length of the protection interval. After the end of the retention period, the account will be cleared in both the IDM and the end system. **If the value is empty, the protection interval will be infinite.**

<note important>For an account that is in a protected mode, **provisioning** will no longer be performed.</note>

Removing accounts with expired protection interval is done by the [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#accountprotectionexpirationtaskexecutor|AccountProtectionExpirationTaskExecutor]]. You must [[tutorial:adm:how_to_work_with_task_scheduler|create]] and [[tutorial:adm:create_and_configure_trigger|schedule]] this task.

==== Basic use case scenario: ====

   * We have the "LDAP" system with the anti-deletion account protection system activated. The duration of the protection interval is 10 days.
   * This system has the ** DN ** attribute set so that in the case of a protected account it changes from ** eu.ldap.{userName} **to** eu.ldap.archive.{userName} **.
   * Next, we have the user "john-doe" and the role "roleLDAP" (which assigns "LDAP").

  - The **Administrator** assigns "john-doe" role **roleLDAP**.
  - IDM:
    - Creates bindings **IdmIdentityRole**, **AccIdentityAccount** and IDM account **AccAccount** (where uid = "john-doe").
    - Provisioning then creates the appropriate account on the end system. The value of the **DN** attribute will be **eu.ldap.john-doe**.
  - Admin deletes **john-doe** role **roleLDAP**.
  - IDM:
    - Removes the link **IdmIdentityRole**.
    - Because the **AccIdentityAccount** link to the last account is retained, the IDM account will be retained.
    - The IDM account will be marked **It is protected**. Furthermore, the length of the protection interval (now + 10 days) will be calculated.
    - Provisioning changes the DN attribute from **eu.ldap.john-doe** to **eu.ldap.archive.john-doe**
  - Administrator reassigns user **john-doe** role **roleLDAP**.
  - IDM:
    - Creates bindings **IdmIdentityRole**, ** AccIdentityAccount **.
    - Because an existing IDM account ** AccAccount ** (protected) is found for the generated UID ("john-doe"), it will be converted to the ** unprotected ** state. A new link ** AccIdentityAccount ** will be bound to this account. The original binding will be removed.
    - Provisioning changes the DN attribute from ** eu.ldap.archive.john-doe ** to ** eu.ldap.john-doe **.

<note tip>If the role "roleLDAP" were not reassigned, the account will be **deleted after 10 days** (by scheduled task).</note>
<note tip>Direct account deletion (AccAccount) will only be avoided if it is in the ** Protected ** state and at the same time is within a valid protection interval!</note>

<note tip>You can **manually delete an account** (AccAccount) even if the **system** is marked as **protected**. Deletions can be performed over accounts that are not in the protected interval (ie, they are not "Protected" or not valid). This account delete **only** causes switch the account to the **protection**. All identity account relations will be deleted until last one.</note>

<note tip>Account marked as **protected**  can be removed manually. You need to set end of protection date on the account detail to the past, then you can delete account by bulk operation on accounts table.</note>

<note important>On **identity delete** is use **force delete**. That remove relationships between identity and account, event if the AccAccount is in the protected mode. Only identity-account relations are removed. The account on system (AccAccount) **is not removed**! From this moment is AccAccount **orphan** without any relations on indentity. If **new** identity with same system **identifier** will be created, then this protected account will be **linked on it**!</note>

==== Limitations: ====

<note warning>It is possible to change the values of the mapped system attributes, depending on whether the account is ** Protected ** (as described for the ** DN ** attribute). ** This dynamic attribute should not be marked as "identifier" **. In this case, the protected account will not be paired (according to the newly generated UID). The result will be ** new account ** (not the original back to the unprotected state)! </note>


<note important>At this time, account protection resolves only accounts assigned to **Identity**.</note>