But yet if we look in our events we see the “Delete Identity Passed” as having passed for given accounts. But I see this for an active Identity as well, they are in an active LCS and have accounts present. When I go to the user under the identity tab I see them and when I go to the activities for that identity, it doesn’t show anything about creating it again.
I get that this runs nightly, is this just an indicator that the Identity was evaluated for the delete process but a delete didn’t actually happen? Or did a delete actually happen, but an aggregation put it back together?
What is the best report to actually know when or if an Identity is actually deleted, where there should be a concern?
Is there a way to prevent Identity Deletions within IDN. Example, a manual deletion of an AD account, IDN reviews the identity at the end of the day and deletes it. How can we force IDN to never delete an Identity unless we want to do so manually through the UI or API?
Are the entire Identity Cubes being deleted? Or is it just accounts connected to identities like an Active Directory account?
If accounts are being removed unintentionally I would suggest checking aggregations and see if there are times where 0 accounts are aggregated. A simple fix to this is to change the Account Delete Threshold to a low amount like 3% to prevent automatic deletions when faulty aggregations occur:
If this isn’t the case, you should look into the Native Change Detection module where you potentially can set up a workflow to notify you when native changes like these occur outside of IDN
Isn’t Disable Account Deletion referring to preventing an Account, such as a user in Active Directory from being deleted?
We would be fine with the account association to be deleted in the Identity when an AD account is manually deleted. But we don’t ever want the Identity to be deleted.
Yes you can disable it entirely. Well your authoritative source is also an account on the identity, meaning you can disable delete threshold on the source that is connected to your Identity Profile(s).
I believe the best methods for preventing identity deletions is as follows:
You source system never deletes / filters on records. All records are available to IdentityNow.
Have a secondary source with an Identity Profile associated to that source where all accounts are stored. As it is a secondary source the profile would be secondary. Upon deletion from the primary source the secondary identity profile would be in play.
What options have you used to retain identities within IdentityNow as an Identity Vault, if you will?
Is there a way to use native change detection to prevent identities from being deleted? We have an issue with our HR feed where active identities are being deleting from our HR source. Can we implement logic (i.e. workflow) where if the identity is not termed, don’t delete it from IDN?
If you have specific users that can’t be deleted from ISC, but may drop from your source, such as for legal hold purposes, you could create a separate source for those Identities, such as a CSV and create an Identity Profile that would have mappings to maintain data as they drop from the HR system, etc. This would prevent Identity Deletions in ISC.
