Account protection system
The goal is to ensure that even if a role is removed from a user account, this account is not immediately removed from the end system.
As long as there is at least one role assigned to the account (or put differently, the last remaining role still hasn’t been removed), the IDM account is marked as Protected.
If the user is assigned another role for the same system (account) (s/he has the same generated UID in AccAccount), then the Protected mark is removed from the IDM account (so the account returns to its original state).
Setting up account protection
Activating account protection from deletion is performed in the provisioning mapping in the IDM system.
Two items are available:
Account protection (before delete) - it is activated by ticking the select box.
Length of protection interval (in days) - defines the length of the protection interval. After the end of the retention period, the account will be cleared in both IDM and the end system. If the value is empty, the protection interval is infinite.
For an account that is in a protected mode, provisioning is not performed.
Removing accounts with expired protection interval
This is done by the AccountProtectionExpirationTaskExecutor. You must create and schedule this task.
Direct account deletion (AccAccount) can be prevented only if it is at once in the Protected state and within the valid protection interval!
You can manually delete an account (AccAccount) even if the system is marked as protected. Deletions can be performed over accounts that are not in the protected interval (i.e. they are neither "Protected" nor valid). This account deletion only causes switch the account to the protection. All identity account relations will be deleted until last one.
Accounts marked as protected can be removed manually. You need to set the end-of-protection date on the account detail to the past, after which you can delete the account by bulk operation on the accounts table.
On identity delete is used force delete. That removes relationships between identity and account, event if the AccAccount is in the protected mode. Only identity-account relations are removed. The account on system (AccAccount) is not removed! From this moment on, AccAccount orphan is without any relations on identity. When a new identity with same system identifier is created, this protected account will be linked to it!
Limitations:
It is possible to change the values of the mapped system attributes, depending on whether the account is Protected (as described for the DN attribute). This dynamic attribute should not be marked as "identifier" . Such being the case, the protected account will not be paired (according to the newly generated UID), and the result will be a new account (not returning back to the original unprotected state)!
Presently, account protection resolves only accounts assigned to Identity.