When it comes to provisioning identities with SAP Cloud Identity Services, unintentional or accidental mass deletion of users or groups could be quite disruptive and frustrating.
The good news is that it is preventable. All you need to do is add the standard property ips.delete.threshold.users (or ips.delete.threshold.groups for groups) to your target system configuration before running a provisioning – read or resync job. And that’s pretty much it for using this optional but highly recommended property.
It will help you in various cases like:
Remember: To be on the safe side, always configure the threshold property in your target systems.
This is how it works: You define a threshold to control the number of entities to be deleted. If this number is lower or equal to the threshold value, the Identity Provisioning continues with the deletion. If the number is greater than the threshold value, the service does not delete anything. The entities are marked as failed in the job statistics and you get an error explaining that users or groups cannot be deleted because the threshold is exceeded.
What’s the proper value for the threshold? You must consider the amount of data you provision and decide on a number that works for you. For more information, see List of Properties.
Proceed as follows:
As a result of changing the filter value, all 10 existing users in Identity Authentication are deleted and a new one matching the new filter is created. Again, the screenshot below shows one more user - the tenant administrator.
This is what will happen if we have the same configuration as scenario 1 above, plus adding the threshold property.
Proceed as follows:
As a result, one user matching the new filter is created and 10 users matching the changed filter are marked as failed and not deleted. The screenshot below shows 12 users (one newly created user, 10 failed users and one tenant administrator).
Remember: Whenever you get an error telling you that entities cannot be deleted because the defined threshold is exceeded, take it as a warning that these entities are most probably not meant to be deleted and something went wrong.
Always configure thresholds in your target systems because the effort to fix issues later is incomparable to the effort of adding a single property in the Identity Provisioning UI.
As in life, prevention is better than cure.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
12 | |
12 | |
11 | |
10 | |
9 | |
9 | |
9 | |
8 | |
6 | |
6 |