Synchronizing users between the BPM database and the user registry
Before a user's personal data can be deleted,
their account must be deactivated by removing them from the user registry
and then synchronizing the internal user data with the external user
registry.
Users that are assigned to the action policy
roles
ACTION_DELETE_USER_PERSONAL_DATA or ACTION_REFRESH_USER can
use a REST API call to synchronize the internal user activation/deactivation
status with the external registry. By default, BPM administrators
are assigned to the ACTION_DELETE_USER_PERSONAL_DATA role.
For information about how to modify the action policies that are contained
in the BPMActionPolicy configuration object, see Configuration properties for action policies.To deactivate a BPM user perform the following actions:
- Remove the user from the user registry.
- If you are using a federated repository, clear the user from the cache of the federated repository adapter as described in clearIdMgrUserFromCache command. This is not necessary if you are using a local operating system registry, standalone LDAP registry, or standalone custom registry.
- Synchronize the BPM database and the user registry by performing
one of the following:
- Run the syncExistingUsers.[bat|sh] script, as described in Synchronizing users.
- Run the BPMSyncExistingUsersTask command with the parameter -userState, as described in Runtime user availability and lifecycle.
- Call the BPM operations REST API
POST https://host:port/ops/std/bpm/users/user_id/sync?sync_user_state=truewill activate the user ID if it is present in the user registry or will deactivate the user ID if it is not in the user registry. For more information about the synchronize user API, see Workflow REST API programming.Important: The synchronize user API must be called with an HTTP header that contains a valid BPMCSRFToken, which is obtained as described in Preventing cross site request forgery.