The goal is to ensure that even if a role is removed from a user account, this account is not immediately removed from the end system. As long as there is at least one role assigned to the account (or put differently, the last remaining role still hasn’t been removed), the IDM account is marked as Protected.

If a user is assigned a role that assigns the same account (s/he has the same generated UID in AccAccount), then the Protected mark is removed from the IDM account (so the account returns to its original state).

Activating account protection from deletion is performed in the provisioning mapping in the IDM system.

Two items are available:

• Account protection (before delete) - it is activated by ticking the select box.
• Length of protection interval (in days) - defines the length of the protection interval. After the end of the retention period, the account will be cleared in both IDM and the end system. If the value is empty, the protection interval is infinite.

This is done by the AccountProtectionExpirationTaskExecutor. You must create and schedule this task.