test

Sun Identity Manager 8.1 Business Administrator's Guide

ProcedureTo Specify How User Accounts Are Deleted/Deprovisioned

  1. Use the Delete Identity Manager Account buttons to specify whether an Identity Manager account can be deleted during a delete operation.

    These buttons include:

    • Never. Select to prevent accounts from being deleted.

    • Only if user has no linked accounts after deprovisioning. Select to allow user account deletions only if there are no linked resource accounts after deprovisioning.

    • Always. Select to always allow user account deletions, even if there are still resource accounts assigned.

  2. Use the Resource Accounts Deprovisioning boxes to control resource account deprovisioning for all resource accounts.

    Note –

    Unassigning or unlinking an external resource from a user does not generate a provisioning request or a work item. When you unassign or unlink an external resource Identity Manager does not deprovision or delete that resource account, so there is nothing for you to do.

    These boxes include:

    • Delete All. Enable this box to delete all accounts representing the user on all assigned resources.

    • Unassign All. Enable this box to unassign all resource accounts from the user. The resource accounts will not be deleted.

    • Unlink All. Enable this box to break all links from the Identity Manager system to the resource accounts. Users with accounts that are assigned but not linked will display with a badge to indicate that an update is required.

    These controls override the behaviors in the Individual Resource Accounts Deprovisioning table.

  3. Use the Individual Resource Accounts Deprovisioning boxes to allow a more fine-grained approach to user deprovisioning (compared to Resource Accounts Deprovisioning).

    These boxes include:

    • Delete. Enable this box to delete the account that represents the user on the resource.

    • Unassign. Enable this box and the user will no longer be assigned directly to the resource. The resource account will not be deleted.

    • Unlink. Enable this box to break the link from the Identity Manager system to the resource accounts. Users with accounts that are assigned but not linked will display with a badge to indicate that an update is required.

    The Individual Resource Accounts Deprovisioning options are useful if you want to specify a separate deprovisioning policy for different resources. For example, most customers do not want to delete Active Directory users because each user has a global identifier that can never be re-created following deletion. However, in environments where new resources are added, you might not want to use this option because the deprovisioning configuration would have to be updated every time you add a new resource.