Synchronizing users between the IBM BPM database and the user registry

Before a user's personal data can be deleted, their account must be deactivated by removing them from the user registry and then synchronizing the internal user data with the external user registry. Users that are assigned to the action policy roles ACTION_DELETE_USER_PERSONAL_DATA or ACTION_REFRESH_USER can use a REST API call to synchronize the internal user activation/deactivation status with the external registry. By default, IBM® BPM administrators are assigned to the ACTION_DELETE_USER_PERSONAL_DATA role. For information about how to modify the action policies that are contained in the BPMActionPolicy configuration object, see Configuration properties for Process Portal action policies.

To deactivate a user perform the following actions:

Remove the user from the user registry.
If you are using a federated repository, clear the user from the cache of the federated repository adapter as described in clearIdMgrUserFromCache command. This is not necessary if you are using a local operating system registry, standalone LDAP registry, or standalone custom registry.
Synchronize the IBM BPM database and the user registry by performing one of the following:
- Run the syncExistingUsers.[bat|sh] script, as described in Synchronizing users.
- Run the BPMSyncExistingUsersTask command with the parameter -userState, as described in Runtime user availability and lifecycle.
- Call the IBM BPM operations REST API POST https://host:port/ops/std/bpm/users/user_id/sync?sync_user_state=true will activate the user ID if it is present in the user registry or will deactivate the user ID if it is not in the user registry.For more information about the synchronize user API, see IBM BPM REST APIs programming.
  Important: The synchronize user API must be called with an HTTP header that contains a valid BPMCSRFToken, which is obtained as described in Preventing cross site request forgery.