What is the account protection system?

The goal is to ensure that even after removing the role assigned to the account by the user, this account is not immediately removed from the end system. By the time the last role assigned to the account is removed, the IDM account will be marked as Protected.

If a user assigns a role that assigns the same account (he has the same generated UID in AccAccount) then the Protected mark is removed from the IDM account (so the account returns to its original state).

How can I use it?

Activating account protection before deletion is performed on provisioning mapping in the IDM system. Two items are available here:

  • Account protection (before delete) - By ticking the protection will be activated.
  • Length of protection interval (in days) - defines the length of the protection interval. After the end of the retention period, the account will be cleared in both the IDM and the end system. If the value is empty, the protection interval will be infinite.
For an account that is in a protected mode, provisioning will no longer be performed.

Removing accounts with expired protection interval is done by the AccountProtectionExpirationTaskExecutor. You must create and schedule this task.

Basic use case scenario:

  • We have the "LDAP" system with the anti-deletion account protection system activated. The duration of the protection interval is 10 days.
  • This system has the DN attribute set so that in the case of a protected account it changes from eu.ldap.{userName} to eu.ldap.archive.{userName} .
  • Next, we have the user "john-doe" and the role "roleLDAP" (which assigns "LDAP").
  • The Administrator assigns "john-doe" role roleLDAP.
  • IDM:
    • Creates bindings IdmIdentityRole, AccIdentityAccount and IDM account AccAccount (where uid = "john-doe").
    • Provisioning then creates the appropriate account on the end system. The value of the DN attribute will be eu.ldap.john-doe.
  • Admin deletes john-doe role roleLDAP.
  • IDM:
    • Removes the link IdmIdentityRole.
    • Because the AccIdentityAccount link to the last account is retained, the IDM account will be retained.
    • The IDM account will be marked It is protected. Furthermore, the length of the protection interval (now + 10 days) will be calculated.
    • Provisioning changes the DN attribute from eu.ldap.john-doe to eu.ldap.archive.john-doe
  • Administrator reassigns user john-doe role roleLDAP.
  • IDM:
    • Creates bindings IdmIdentityRole, AccIdentityAccount .
    • Because an existing IDM account AccAccount (protected) is found for the generated UID ("john-doe"), it will be converted to the unprotected state. A new link AccIdentityAccount will be bound to this account. The original binding will be removed.
    • Provisioning changes the DN attribute from eu.ldap.archive.john-doe to eu.ldap.john-doe .
If the role "roleLDAP" were not reassigned, the account will be deleted after 10 days (by scheduled task).
Direct account deletion (AccAccount) will only be avoided if it is in the Protected state and at the same time is within a valid protection interval!
You can manually delete an account (AccAccount) even if the system is marked as protected. Deletions can be performed over accounts that are not in the protected interval (ie, they are not "Protected" or not valid). This account delete only causes switch the account to the protection. All identity account relations will be deleted until last one.
Account marked as protected can be removed manually. You need to set end of protection date on the account detail to the past, then you can delete account by bulk operation on accounts table.
On identity delete is use force delete. That remove relationships between identity and account, event if the AccAccount is in the protected mode. Only identity-account relations are removed. The account on system (AccAccount) is not removed! From this moment is AccAccount orphan without any relations on indentity. If new identity with same system identifier will be created, then this protected account will be linked on it!


It is possible to change the values of the mapped system attributes, depending on whether the account is Protected (as described for the DN attribute). This dynamic attribute should not be marked as "identifier" . In this case, the protected account will not be paired (according to the newly generated UID). The result will be new account (not the original back to the unprotected state)!
At this time, account protection resolves only accounts assigned to Identity.