Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Current »

Introduction

The purpose of the DeprovisionIdentityTask is to deprovision identities on the target systems.

 

Value

GUID

1cba8799fa0c415e9ebb6c8ed4105c7a

Scheduled by default

(tick)

Interval in seconds

60

Concurrent

(error)

Parameters

-

Identities to deprovision

Task filters the identities to be deprovisioned based on below conditions:

Condition

current Identity → TargetSystem → SystemRecurringTaskFeatures

1cba8799fa0c415e9ebb6c8ed4105c7a task feature has to be active

current Identity → IdentityType → IdentityTypeFeatures

IsDeprovisioningExternallyActive (9) feature has to not active

current Identity → IsProvisioned

true

current Identity → CoreIdentity → ResourceAssignments

Has to have no valid resource assignment for IdentityType of current identity

Valid resource assignment is one that:

  • is not ignored

  • AND

    • has state Assigned

    • OR has state PendingAssignment and NOW is between ValidFrom and ValidTo

    • OR ValidFrom is before NOW + current Identity → IdentityType → IdentityProvisioningConfiguration → AdvanceProvisioningInHours

    • OR has state EnlistmentAssigned

ResourceAssignments (Other assignment contexts)

Identity is not used as the context for any resource assignment.

Search all resource assignments table to find ones that:

  • has context bundle with both:

    • AssignmentContextType is Core Identity and ContextObjectIdentifier is current Identity -> Core Identity -> Id

    • AssignmentContextType is Identity Type and ContextObjectIdentifier is current Identity -> Identity Type -> Id

  • has is

    • Assigned

    • OR EnlistmentAssigned

    • OR DeletePending

    • OR PendingAssignment and NOW is between ValidFrom and ValidTo

current Identity → AnonymizationStatus

AnonymizationStatus has to be different than PendingAnonymization (2) or there has to be no changes in identity attribute values (HasChanged is false)

current Identity → AnonymizationStatus

AnonymizationStatus has to be NotAnonymized (1) OR Anonymized (6)

this is stronger condition than previous. The one above can be removed!

current Identity → DeprovisionedDate

DeprovisionDate is empty OR NOW has past the delay defined in current Identity -> IdentityType -> IdentityProvisioningConfiguration -> DeprovisionIdentityDelayInHours

current Identity → Dependent Identities

All dependent identities have empty DeprovisionedDate OR NOW has past the delay defined in IdentityProvisioningConfigurationDependency -> DeprovisioningDelayInMinutes

What is Dependent Identity?

Dependent Identity is the identity belonging to the same CoreIdentity and created with IdentityProvisioningConfiguration configured in IdentityProvisioningConfigurationDependency`

Processing identities to deprovision

Identities found using above filters are there double-checked with criteria below and actions are performed.

Condition

current Identity → TargetSystem → SystemRecurringTaskFeatures

1cba8799fa0c415e9ebb6c8ed4105c7a task feature has to be active

Same as in previous filter

current Identity → CoreIdentity → ResourceAssignments

Has to have no valid resource assignment for IdentityType of current identity

Watch out! Different from previous filter!

Valid resource assignment is one that:

  • has state Assigned

  • OR has state DeletePending

  • OR has state PendingAssignment and NOW is between ValidFrom and ValidTo

→ deprovisiong on target system - only if provisioned

→ change data in database

→ workflows

  • No labels