Synchronizing users between the IBM BPM database and the user registry
Before a user's personal data can be deleted,
their account must be deactivated by removing them from the user registry
and then synchronizing the internal user data with the external user
registry.
Users that are assigned to the action policy
roles ACTION_DELETE_USER_PERSONAL_DATA or ACTION_REFRESH_USER can
use a REST API call to synchronize the internal user activation/deactivation
status with the external registry. By default, IBM® BPM administrators
are assigned to the ACTION_DELETE_USER_PERSONAL_DATA role.
For information about how to modify the action policies that are contained
in the BPMActionPolicy configuration object, see Configuration properties for Process Portal action policies.
To deactivate a user perform the following actions:
- Remove the user from the user registry.
- If you are using a federated repository, clear the user from the cache of the federated repository adapter as described in clearIdMgrUserFromCache command. This is not necessary if you are using a local operating system registry, standalone LDAP registry, or standalone custom registry.
- Synchronize the IBM BPM database and the user registry by performing
one of the following:
- Run the syncExistingUsers.[bat|sh] script, as described in Synchronizing users.
- Run the BPMSyncExistingUsersTask command with the parameter -userState, as described in Runtime user availability and lifecycle.
- Call the IBM BPM operations
REST API POST https://host:port/ops/std/bpm/users/user_id/sync?sync_user_state=true will
activate the user ID if it is present in the user registry or will
deactivate the user ID if it is not in the user registry.For more
information about the synchronize user API, see IBM BPM REST APIs programming.Important: The synchronize user API must be called with an HTTP header that contains a valid BPMCSRFToken, which is obtained as described in Preventing cross site request forgery.