When a user is deleted from OIM, with its normal behavior, the user gets deleted immediately. But recently we received following requirement from Business :-
a) When a user is deleted, we need to keep the user in disabled state for one year.
b) Such users needs to be deleted when they have been in disabled state for one year.
c) Any user who has been DISABLED purposely should not get deleted by above business logic.
So to implement above functionality, I made use of predefined scheduled job in OIM: Delayed Delete User.
There is a concept of “Delayed Delete” where in when a user is deleted, instead of immediately deleting the record it disables the user for specific time. The user can be enabled again during that time (if required). To configure delayed delete in Oracle Identity Manager, we must define the “Period to Delay User Delete” configuration property, which specifies the predefined wait period in days to hold on the delete operation. If we do not want to configure delayed delete, then we need to set the value of the Period to Delay User Delete configuration property to 0 or a negative number.
OIM automatically runs a scheduled job named “Delayed Delete User” everyday to validate which user should be deleted and ideally any disabled user should be deleted after delay period expires. If this job is in disabled state, you need to enable it.
Now the question is how the job differentiates between disabled and purposely disabled user?(See requirement 2 and 3 above)
a) There is column in USR table. USR_AUTOMATICALLY_DELETE_ON. Schedule Job, “Delayed Delete User” deletes all the user whose USR_AUTOMATICALLY_DELETE_ON date is in past. If the job is scheduled daily, it will delete all the users who have USR_AUTOMATICALLY_DELETE_ON < SYSDATE.
b) Now when we delete a user and UserDeleteDelayPeriod system parameter is set to 365 days, OIM will change the status of the user as DISABLED with USR_AUTOMATICALLY_DELETE_ON = Sysdate + 365. After 365 days when the schedule job will run, it will delete this user.
c) When we purposely DISABLE the user, OIM will change the status of the user as DISABLED but will not populate any value in USR_AUTOMATICALLY_DELETE_ON. Hence even if the schedule job runs it will not delete the purposely DISABLED users
Hope it helps.