无法删除 ITIM 帐户

Question

I am trying to delete the ITIM A/C created for a user, however it doesn't let me delete it, an error is displayed "following accounts cannot be deleted since they are governed by automatic provisioning policy".

Please let me know what is the reason for it and how to correct it.

Answer 1

The reason is that there is a Provisioning Policy defined in your environment with the following parameters :

• One of the entitlements of the Provisioning Policy is an ITIM Account (possibly with some entitlement parameters)
• The provisioning option for this entitlement is set to Automatic
• The role membership of the provisioning policy either is a specific role that your user has or applies to all users in the organization.

What the above mean is that there is a provisioning policy that says "All the users that have this role MUST have an ITIM account". This is why you cannot manually delete the ITIM Account for that person.

It's not about correcting , but rather on figuring out what you want to achieve there. You have several options but first you need to take a step back and understand the reason instead of just attempting to fix the symptom. Why should this user not have an ITIM Account ?

IF there is a role that gives him this account you need to figure out which role is that and remove the role from the person. Then, the Provisioning Policy enforcement will remove the ITIM Account ( oversimplifying here assuming there are no other PPs that apply to the person and have an ITIM Account as entitlement)

If , on the other hand, the provisioning policy applies to everyone and you found out now that some of them should not have an account or that you should be able to remove accounts from them, you either need to make the provision option manual (this means everyone CAN have an account but they will need to request it or get it provisioned by someone/some process) or change the membership of the policy to a more exclusive role that contains only the persons who should have an ITIM Account.

EDIT

You would need to go a little bit back and try to understand the notions of Provisioning Policies in the context of ITIM and RBAC in general. This is not the place to analyze the topic :) However, shortly and for the question at hand

• The ITIM Account is not necessarily mapped 1:1 to every ITIM person. ITIM Persons are the entities that are managed by your Identity Management System (ITIM) and they might have ITIM accounts, that is accounts on the ITIM Service that is predefined in ITIM.
• The ITIM Account is the account that gives access to the ITIM Administrative console and the Self Service UI, not all persons need this/should have this.
• The reason why as you say, the user got an ITIM Account when you created the user, is that there is a Provisioning Policy that has the ITIM Service as entitlement and is set to automatic. This says that all ITIM users MUST have an ITIM account. This is why you can't remove the ITIM account by itself because it contradicts the Provisioning Policy that is in place.

Answer 2

Reason of not deleting account is automatic provisioning policy which is not allowing to delete itim account. Make the provisioning policy from automatic to manual then only it will allow deletion of accounts.