GUID

1cba8799fa0c415e9ebb6c8ed4105c7a

Scheduled by default

Interval in seconds

60

Concurrent

Parameters

-

current Identity → TargetSystem → SystemRecurringTaskFeatures

1cba8799fa0c415e9ebb6c8ed4105c7a task feature has to be active

current Identity → IdentityType → IdentityTypeFeatures

IsDeprovisioningExternallyActive (9) feature has to not active

current Identity → IsProvisioned

true

current Identity → CoreIdentity → ResourceAssignments

Has to have no valid resource assignment for IdentityType of current identity

Valid resource assignment is one that:

• is not ignored

• AND

  • has state Assigned

  • OR has state PendingAssignment and NOW is between ValidFrom and ValidTo

  • OR ValidFrom is before NOW + current Identity → IdentityType → IdentityProvisioningConfiguration → AdvanceProvisioningInHours

  • OR has state EnlistmentAssigned

ResourceAssignments (Other assignment contexts)

Identity is not used as the context for any resource assignment.

Search all resource assignments table to find ones that:

• has context bundle with both:

  • AssignmentContextType is Core Identity and ContextObjectIdentifier is current Identity -> Core Identity -> Id

  • AssignmentContextType is Identity Type and ContextObjectIdentifier is current Identity -> Identity Type -> Id

• has is

  • Assigned

  • OR EnlistmentAssigned

  • OR DeletePending

  • OR PendingAssignment and NOW is between ValidFrom and ValidTo

current Identity → AnonymizationStatus

AnonymizationStatus has to be different than PendingAnonymization (2) or there has to be no changes in identity attribute values (HasChanged is false)

current Identity → AnonymizationStatus

AnonymizationStatus has to be NotAnonymized (1) OR Anonymized (6)

current Identity → DeprovisionedDate

DeprovisionDate is empty OR NOW has past the delay defined in current Identity -> IdentityType -> IdentityProvisioningConfiguration -> DeprovisionIdentityDelayInHours

current Identity → Dependent Identities

All dependent identities have empty DeprovisionedDate OR NOW has past the delay defined in IdentityProvisioningConfigurationDependency -> DeprovisioningDelayInMinutes

What is Dependent Identity?

Dependent Identity is the identity belonging to the same CoreIdentity and created with IdentityProvisioningConfiguration configured in IdentityProvisioningConfigurationDependency`

current Identity → TargetSystem → SystemRecurringTaskFeatures

1cba8799fa0c415e9ebb6c8ed4105c7a task feature has to be active

Same as in previous filter

current Identity → CoreIdentity → ResourceAssignments

Has to have no valid resource assignment for IdentityType of current identity

Watch out! Different from previous filter!

Valid resource assignment is one that:

• has state Assigned

• OR has state DeletePending

• OR has state PendingAssignment and NOW is between ValidFrom and ValidTo

System Connector call DeactivateIdentity

Event UserAccountDeactivationRequested is send

current Identity → IdentityType → IdentityProvisioningConfiguration → DeprovisionIdentityDelayInHours != 0

AND

current Identity → DeprovisionedDate IS NULL

DB update Identity.DeprovisionedDate to NOW

DB change Identity.Active to false

Elsa workflow run Deprovisioning (37)

has to be configured in IdentityProvisioningConfigurationWorkflows

WF workflow run

has to be configured in IdentityProvisioningConfiguration AND no Elsa workflow is configured

System Connector call DeleteIdentity

no workflow (WF or Elsa) are configured

DB delete Identity