Best practice to delete Perm. Disabled Persons and their accounts

We have been running One Identity Manager now for many years but have never been deleting any Persons/accounts. We are now close to having 40k perm. disabled users and i would like to implement a clean-up deletion process.

My goal is to automatically delete any Person that have been perm. disabled for more than 2 years. What is the best practice of doing this? I have read that some are using the QER_PPersonDelete_GDPR as clean-up. Would this be a good solution to create a process that runs QER_PPersonDelete_GDPR on all Persons that are perm. disabled and their leaving date is more than 2 years back in time?

If i run QER_PPersonDelete_GDPR for a user that has outstanding accounts connected usch as ADS acocunt etc, what will happen to those? Will they get deleted as well or do they need ot be deleted before the process is triggered?

What if they person for some reason has connected target system accounts that are not marked as outstanding. Will those just be deleted from the database if so?

Version 9.1

How are you guys handling your clean-up of perm. disabled users?

  • Hi QOS,

    Ah, deleting old persons (and accounts) one of the age-old IAM questions! To be honest as the person is so long gone this is mostly a technical excercise and one of the less complicated steps in the leaver process.

    Let's start by looking at the official answer;

    What One Identity itself has to say on the subject;

    Deferred deletion of employees

    When an employee is deleted, they are tested to see if user accounts and company resources are still assigned, or if there are still pending requests in the IT Shop. The employee is marked for deletion and therefore locked out of further processing. Before an employee can finally be deleted from the One Identity Manager database, you need to delete all company resource assignments and close all requests. You can do this manually or implement custom processes to do it. All the user accounts linked to one employee could be deleted by default by One Identity Manager once this employee has been deleted. If no more company resources are assigned, the employee is finally deleted.

    By default, employees are finally deleted from the database after 30 days. During this period it is possible to re-enable the employee. A restore is not possible once deferred deletion has expired.

    In the Designer, you can set an alternative delay on the Person table. For more information on configuring the deferred deletion, refer to the One Identity Manager Configuration Guide.

      • Be aware that if you use QER_PPersonDelete_GDPR the goal is to delete all personal information about that person. Personally I would not use it, as it also deletes information that can still be relevant even when the person has left. It's made to entirely remove a person and everything they've done from the database, which is more than you want with a normal delete.

    Personally I mostly follow the standard approach;

    -Have some schedule check what people have a leaving date more than <x> time in the past. For all those people trigger a simple process to delete them. Depending on the volume this can be done using a single process updating all of them, individual processes, or even deferred operations that are created on their leaving date.

    -Whichever approach is taken it leads to a delete of the person (with a retention period).

    -Set all account definitions to be revoked when the person is set to 'deleted' so that their accounts are removed.

    Any accounts which are linked to the person without an account definition or not fully managed will not be automatically deleted when the person gets deleted. You don't necesarilly want that either, so you'll want to think about if you want to unlink them (as they might not be tied to the person per-se just managed by him), or if they should be deleted. If the later, you'll need to create a delete process / job.

    -Ensure the person in a deleted state gets removed from all customer IT-Shop nodes (ensuring all their requests are cancelled).

    -Wait for the deferred deletion delay to expire causing the person to finally be deleted.

    --

    Just some thoughts, but I hope they help :)

  • Thank you. 

    So it sounds like creating a process to delete accounts that have a leaving date older than x days is the way to go.

    Are you able to share the process step that you are using for the actual deletion step?

  • The actual deletion of the person is generally a fairly simple; 'HandleObjectComponent - Delete' on the person table.

    The accounts I prefer to have deleted using the account definition method. If you check an account definition you'll see there's a checkbox there to; 'Retain account definition on deferred deletion'. (Similarly for permanently disabled)

    If that isn't checked setting the person to deferred deletion will revoke their account definitions causing the accounts to be removed. That is, for managed accounts. Any unmanaged accounts you should unlink in process steps (HandleObjectComponent - Update steps to clear or update the uid_person generally works fairly well). As those accounts are unmanaged they can be freely updated.