This shows you the differences between two versions of the page.
|
|
Last revision
Both sides next revision
|
devel:documentation:accounts:adm:account-protection [2019/02/27 13:14]
kotisovam created intro parts moved from devel section |
devel:documentation:accounts:adm:account-protection [2019/02/27 13:32]
kotisovam [Removing accounts with expired protection interval] new paragraphs moved from devel - and edited |
| ==== Removing accounts with expired protection interval ==== | ==== Removing accounts with expired protection interval ==== |
| This is done by the [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#accountprotectionexpirationtaskexecutor|AccountProtectionExpirationTaskExecutor]]. You must [[tutorial:adm:how_to_work_with_task_scheduler|create]] and [[tutorial:adm:create_and_configure_trigger|schedule]] this task. | This is done by the [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#accountprotectionexpirationtaskexecutor|AccountProtectionExpirationTaskExecutor]]. You must [[tutorial:adm:how_to_work_with_task_scheduler|create]] and [[tutorial:adm:create_and_configure_trigger|schedule]] this task. |
| | |
| | <note tip>Direct account deletion (AccAccount) can be prevented only if it is at once in the ** Protected ** state and within the valid protection interval!</note> |
| | |
| | <note tip>You can **manually delete an account** (AccAccount) even if the **system** is marked as **protected**. Deletions can be performed over accounts that are not in the protected interval (i.e. they are neither "Protected" nor valid). This account deletion **only** causes switch the account to the **protection**. All identity account relations will be deleted until last one.</note> |
| | |
| | <note tip>Accounts marked as **protected** can be removed manually. You need to set the end-of-protection date on the account detail to the past, after which you can delete the account by bulk operation on the accounts table.</note> |
| | |
| | <note important>On **identity delete** is used **force delete**. That removes relationships between identity and account, event if the AccAccount is in the protected mode. Only identity-account relations are removed. The account on system (AccAccount) **is not removed**! From this moment on, AccAccount **orphan** is without any relations on identity. When a **new** identity with same system **identifier** is created, this protected account will be **linked to it**!</note> |
| | |
| | ==== Limitations: ==== |
| | |
| | <note warning>It is possible to change the values of the mapped system attributes, depending on whether the account is ** Protected ** (as described for the ** DN ** attribute). ** This dynamic attribute should not be marked as "identifier" **. Such being the case, the protected account will not be paired (according to the newly generated UID), and the result will be **a new account ** (not returning back to the original unprotected state)! </note> |
| | |
| | <note important>Presently, account protection resolves only accounts assigned to **Identity**.</note> |