Deferred Deletion of an Employee
Deferred Deletion of an Employee
When an employee is deleted, they are tested to see if user accounts and company resources are still assigned, or if there are still pending requests in the IT Shop. The employee is marked for deletion and therefore locked out of further processing. Before an employee can finally be deleted from the One Identity Manager database, you need to delete all company resource assignments and close all requests. You can do this manually or implement custom processes to do it. All the user accounts linked to one employee could be deleted by default by the One Identity Manager once this employee has been deleted. If no more company resources are assigned, the employee is finally deleted.
Scenario: user accounts are linked to employees and are managed through account definitions.
- Specify in the account definitions, how deletion of an employee affects their user accounts. The user accounts can be locked or enabled for the period that deletion is deferred. In any case, the user accounts are deleted from the One Identity Manager database once the deferred deletion period has expired.
Scenario: user accounts are linked to employees. No account definition is applied.
- Implement custom processes to delete linked user accounts. The employee stays marked for deletion until all user accounts are deleted and assignments to company resources have been removed. The user accounts remain enabled with deferred deletion until they are physically deleted.
Related Topics
Disabling and Deleting Account Definitions
Disabling and Deleting Account Definitions
If user accounts are managed through account definitions, you can specify the desired behavior for handling user accounts and group memberships through account definitions and manage levels for temporary disabling, permanent disabling, deletion and security risk to employees.
You can define special handling for each target system belonging to a target system type, through the relationship between the target system and account definition. For more information, see Using Account Definitions to Create User Accounts.
You can configure the following behavior:
- Assigning account definitions to employees
The effects on account definition inheritance of temporary disabling, permanent disabling, deletion and security risk to employees is specified for each account definition. The settings of previous account definitions are overwritten.
You may want employees that are disabled or marked for deletion to inherit account definitions to ensure that all necessary permissions are made immediately available when the employee is reactivated at a later time.
IMPORTANT: An employee keeps its linked user accounts as long as an account definition applies to the employee. If the account definition assignment no longer applies, the user account created through this account definition, is deleted. The following user account definition options are available for mapping behavior.
Table 8: Account Definition Master Data for Account Definition Assignment Behavior Property Description Retain account definition if permanently disabled
Specifies the account definition assignment to permanently disabled employees.
Option set: the account definition assignment remains in effect. The user account stays the same.
Option not set: the account definition assignment is not in effect.The associated user account is deleted.
Retain account definition if temporarily disabled
Specifies the account definition assignment to temporarily disabled employees.
Option set: the account definition assignment remains in effect. The user account stays the same.
Option not set: the account definition assignment is not in effect.The associated user account is deleted.
Retain account definition on deferred deletion
Specifies the account definition assignment on deferred deletion of employees.
Option set: the account definition assignment remains in effect. The user account stays the same.
Option not set: the account definition assignment is not in effect.The associated user account is deleted.
Retain account definition on security risk
Specifies the account definition assignment to employees posing a security risk .
Option set: the account definition assignment remains in effect. The user account stays the same.
Option not set: the account definition assignment is not in effect.The associated user account is deleted.
- Handling employee user accounts
The effects on user accounts of temporary disabling, permanent disabling, deletion and security risk of an employee is specified for each manage level.
In order to remove permissions from an employee when they are being disabled or deleted, the employee’s user accounts can be locked. If the employee is reinstated at a later date, the user accounts are also reactivated.
The following options are available for each manage level on an account definition for handling user accounts:
Table 9: Manage Level Master Data for Handling User Accounts Property Description Lock user accounts if temporarily disabled
Specifies whether user accounts of temporarily disabled employees are locked.
Lock user accounts if permanently disabled
Specifies whether user accounts of permanently disabled employees are locked.
Lock user accounts if deletion is deferred
Specifies whether user accounts of employees marked for deletion are locked.
Lock user accounts if security is at risk
Specifies whether user accounts of employees posing a security risk are locked.
- Inheritance of group memberships by the employee's user accounts
The effects on user account group memberships of temporary disabling, permanent disabling, deletion and security risk of an employee is specified for each manage level.
If an employee is deactivated or marked for deletion, inheritance of groups memberships can be suppressed for the account definition target system. You might want this behavior if an employee's user accounts and mailboxes are locked and therefore cannot be included in distribution lists. During this deactivation period, no inheritance processes should be calculated for this employee. Existing group memberships are deleted.
The following options are available for each manage level on an account definition for handling group memberships:
Table 10: Manage Level Master Data for Handling Group Memberships Property Description Retain groups if temporarily disabled
Specifies whether user accounts of temporarily disabled employees retain their group memberships.
Retain groups if permanently disabled
Specifies whether user accounts of permanently disabled employees retain group memberships.
Retain groups on deferred deletion
Specifies whether user accounts of employees marked for deletion retain their group memberships.
Retain groups on security risk
Specifies whether user accounts of employees posing a security risk retain their group memberships.
Retain groups if user account disabled
Specifies whether locked user accounts retain their group memberships.
The Unified Namespace
The Unified Namespace
The Unified Namespace is a virtual system in which different target systems can be mapped with their structures, user accounts, system entitlements and memberships. The Unified Namespace allows a general, cross target system mapping of all connected target systems. This means that target systems like Active Directory domains can be mapped just the same as custom target systems.
You can use other One Identity Manager core functionality across target systems by mapping target systems in the Unified Namespace, such as identity audit, attestation or report functions. You are supplied with several reports by default.
Mapping Target System Objects in Unified Namespace
Mapping Target System Objects in Unified Namespace
Each Unified Namespace object type joins the various tables of the One Identity Manager data model required for mapping connected target systems. The various target system tables are joined in database layers. This allows different object properties to be mapped uniformly.
Use the following database views to execute compliance checks or attestation across target systems and also to create reports across target systems.
The UNSRoot view maps the base objects of target system synchronization.
|
Target system type |
Table |
|---|---|
|
Active Directory |
ADSDomain |
|
Microsoft Exchange |
EX0Organization |
|
SharePoint |
SPSSite |
|
IBM Notes |
NotesDomain |
|
SAP R/3 |
SAPMandant |
|
LDAP |
LDPDomain |
|
Custom target systems |
UNSRootB |
|
Unix |
UNXHost |
|
Azure Active Directory |
AADOrganization |
|
G Suite |
GAPCustomer |
|
Cloud Target Systems |
CSMRoot |
Container (UNSContainer)
The UNSContainer view maps the target system's container structures.
|
Target system type |
Table |
|---|---|
|
Active Directory |
ADSContainer |
|
SharePoint |
SPSWeb |
|
LDAP |
LDAPContainer |
|
Custom target systems |
UNSContainerB |
|
Cloud Target Systems |
CSMContainer |
|
G Suite |
GAPOrgUnit |
The UNSAccount view maps the user accounts of target system.
|
Target system type |
Table |
|---|---|
|
Active Directory |
ADSAccount, ADSContact |
|
Microsoft Exchange |
EX0MailUser, EX0MailContact, EX0Mailbox |
|
SharePoint |
SPSUser |
|
IBM Notes |
NotesUser |
|
SAP R/3 |
SAPUser, SAPBWUser |
|
LDAP |
LDAPAccount |
|
Custom target systems |
UNSAccounB |
|
Unix |
UNXAccount |
|
Azure Active Directory |
AADUser |
|
Exchange Online |
O3EMailbox, O3EMailContact, O3EMailUser |
|
G Suite |
GAPUser |
|
Cloud Target Systems |
CSMUser |
The UNSGroup view maps the target system's system entitlements, such as groups, role, profiles.
|
Target system type |
Table |
|---|---|
|
Active Directory |
ADSGroup |
|
Microsoft Exchange |
EX0DL |
|
SharePoint |
SPSGroup, SPSRLAsgn |
|
IBM Notes |
NotesGroup |
|
SAP R/3 |
SAPGrp, SAPProfile, SAPRole, SAPHRP, SAPBWP |
|
LDAP |
LDAPGroup |
|
Custom target systems |
UNSGroupB |
|
Unix |
UNXGroup |
|
Azure Active Directory |
AADGroup, AADDeniedServicePlan, AADDirectoryRole, AADSubSku |
|
Exchange Online |
O3EDL, O3EUnifiedGroup |
|
G Suite |
GAPGroup |
|
G Suite |
GAPPaSku |
|
Cloud Target Systems |
CSMGroup |
The UNSItem view maps the target system's additional permissions controls.
|
Target system type |
Table |
|---|---|
|
Custom target systems |
UNSItemB |
|
Cloud Target Systems |
CSMItem |
The UNSAccountInUNSGroup view maps system entitlement assignments to the target system's user accounts.
|
Target system type |
Table |
|---|---|
|
Active Directory |
ADSAccountInADSGroup, ADSContactInADSGroup |
|
SharePoint |
SPSUserInSPSGroup, SPSUserHASSPSRLAsgn |
|
IBM Notes |
NotesUserInGroup |
|
SAP R/3 |
SAPUserInSAPGrp, SAPUSerInSAPRole, SAPUserInSAPProfile, SAPUserInSAPHRP, SAPBWUserInSAPBWP |
|
LDAP |
LDAPAccountInLDAPGroup |
|
Custom target systems |
UNSAccounBInUNSGroupB |
|
Unix |
UNXAccountInUNXGroup |
|
Azure Active Directory |
AADUserHasDeniedService, AADUserInDirectoryRole, AADUserInAADGroup |
|
Exchange Online |
O3EAADUserInUnifiedGroup, O3EMailboxInDL, O3EMailContactInDL, O3EMailUserInDL |
|
G Suite |
GAPUserInGroup |
|
G Suite |
GAPUserInPaSku |
|
Cloud Target Systems |
CSMUserInGroup |
The UNSAccountHasUNSItem view maps assignments of additional permissions controls to the target system's user accounts.
|
Target system type |
Table |
|---|---|
|
Custom target systems |
UNSAccountBHasUNSItemB |
|
Cloud Target Systems |
CSMUserHasItem |
The UNSGroupInUNSGroup view maps system entitlement assignments to the target system's system entitlements.
|
Target system type |
Table |
|---|---|
|
Active Directory |
ADSGroupInADSGroup |
|
SharePoint |
SPSGroupHasSPSRLAsgn |
|
IBM Notes |
NotesGroupInGroup |
|
SAP R/3 |
SAPProfileInSAPProfile, SAPRoleInSAPRole, SAPProfileInSAPRole |
|
LDAP |
LDAPGroupInLDAPGroup |
|
Custom target systems |
UNSGroupBInUNSGroupB |
|
Azure Active Directory |
AADGroupInGroup, |
|
Exchange Online |
O3EDLInDL |
|
G Suite |
GAPGroupInGroup |
|
Cloud Target Systems |
CSMGroupInGroup |
The UNSGroupHasUNSItem view maps assignments of additional permissions controls to the target system's system entitlements.
|
Target system type |
Table |
|---|---|
|
Custom target systems |
UNSGroupBHasUnsItemB |
|
Cloud Target Systems |
CSMGroupHasItem |
The UNSGroupExclusion view maps system entitlement definitions that are mutually exclusive.
|
Target system type |
Table |
|---|---|
|
Active Directory |
ADSGroupExclusion |
|
SharePoint |
SPSGroupExclusion, SPSRLAsgnExclusion |
|
IBM Notes |
NotesGroupExclusion |
|
SAP R/3 |
SAPGrpExclusion, SAPProfileExclusion, SAPRoleExclusion |
|
LDAP |
LDAPGroupExclusion |
|
Custom target systems |
UNSGroupBExclusion |
|
Unix |
UNXGroupExclusion |
|
Azure Active Directory |
AADGroupExclusion, AADSubSkuExclusion |
|
G Suite |
GAPGroupExclusion |
|
Cloud Target Systems |
CSMGroupExclusion |
The UNSGroupCollection view maps hierarchies of system entitlements.
|
Target system type |
Table |
|---|---|
|
Active Directory |
ADSGroupCollection |
|
SharePoint |
SPSGroupCollection,SPSRLAsgn |
|
IBM Notes |
NotesGroupCollection |
|
SAP R/3 |
SAPCollectionRPG |
|
LDAP |
LDAPGroupCollection |
|
Custom target systems |
UNSGroupBCollection |
|
Unix based target system |
UNXGroupExclusion |
|
Azure Active Directory |
AADGroupCollection |
|
Exchange Online |
O3EDLCollection |
|
G Suite |
GAPGroupCollection |
|
Cloud Target Systems |
CSMGroupCollection |