|
Next revision
|
Previous revision
|
devel:documentation:accounts:adm:account-protection [2019/02/27 13:14]
kotisovam created intro parts moved from devel section |
devel:documentation:accounts:adm:account-protection [2019/02/27 13:45] (current)
kotisovam [Account protection system] edit |
| As long as there is at least one role assigned to the account (or put differently, the last remaining role still hasn’t been removed), the IDM account is marked as **Protected**. | As long as there is at least one role assigned to the account (or put differently, the last remaining role still hasn’t been removed), the IDM account is marked as **Protected**. |
| |
| If a user is assigned a role that assigns the same account (s/he has the same generated UID in AccAccount), then the **Protected** mark is removed from the IDM account (so the account returns to its original state). | If the user is assigned another role for the same system (account) (s/he has the same generated UID in AccAccount), then the **Protected** mark is removed from the IDM account (so the account returns to its original state). |
| |
| ==== Setting up account protection ==== | ==== Setting up account protection ==== |
| ==== Removing accounts with expired protection interval ==== | ==== Removing accounts with expired protection interval ==== |
| This is done by the [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#accountprotectionexpirationtaskexecutor|AccountProtectionExpirationTaskExecutor]]. You must [[tutorial:adm:how_to_work_with_task_scheduler|create]] and [[tutorial:adm:create_and_configure_trigger|schedule]] this task. | This is done by the [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#accountprotectionexpirationtaskexecutor|AccountProtectionExpirationTaskExecutor]]. You must [[tutorial:adm:how_to_work_with_task_scheduler|create]] and [[tutorial:adm:create_and_configure_trigger|schedule]] this task. |
| | |
| | <note tip>Direct account deletion (AccAccount) can be prevented only if it is at once in the ** Protected ** state and within the valid protection interval!</note> |
| | |
| | <note tip>You can **manually delete an account** (AccAccount) even if the **system** is marked as **protected**. Deletions can be performed over accounts that are not in the protected interval (i.e. they are neither "Protected" nor valid). This account deletion **only** causes switch the account to the **protection**. All identity account relations will be deleted until last one.</note> |
| | |
| | <note tip>Accounts marked as **protected** can be removed manually. You need to set the end-of-protection date on the account detail to the past, after which you can delete the account by bulk operation on the accounts table.</note> |
| | |
| | <note important>On **identity delete** is used **force delete**. That removes relationships between identity and account, event if the AccAccount is in the protected mode. Only identity-account relations are removed. The account on system (AccAccount) **is not removed**! From this moment on, AccAccount **orphan** is without any relations on identity. When a **new** identity with same system **identifier** is created, this protected account will be **linked to it**!</note> |
| | |
| | ==== Limitations: ==== |
| | |
| | <note warning>It is possible to change the values of the mapped system attributes, depending on whether the account is ** Protected ** (as described for the ** DN ** attribute). ** This dynamic attribute should not be marked as "identifier" **. Such being the case, the protected account will not be paired (according to the newly generated UID), and the result will be **a new account ** (not returning back to the original unprotected state)! </note> |
| | |
| | <note important>Presently, account protection resolves only accounts assigned to **Identity**.</note> |