Skip to content

User deprovisioning

Info

This document describes the user deprovisioning process within the Helmholtz AAI. It does not cover deprovisioning procedures for individual services. For service-specific policies, please consult the respective service documentation or contact their helpdesk.

What is user deprovisioning

User deprovisioning is the process to remove specific usage permissions of a user up to the removal of the whole account and all personal data. While revoking specific permissions may be reversible, the complete deletion of an account is permanent. If an account is deleted, a new account can only be created through a fresh registration.

Why do we need to deprovision users

There are several reasons for deprovisioning. Some of the reasons are:

  • Requirement by GDPR
  • Removal of accounts where the upstream identity no longer exists, as these can no longer be validated or used
  • Avoidance of data inconsistencies and maintenance of system efficiency
  • Fair sharing of resources among active users

How does user deprovisioning work

The Helmholtz AAI tries to perform the user deprovisioning workflow without bothering the user. For this reason it tries to check the user status at the upstream identity provider, e.g. the home organisation of the user. Technically Attribute Queries (AQ) are used for this. Unfortunately, this is not always possible. In such cases, user interaction is required.

In the overall deprovisioning workflow, there are four distinct timeframes:

  • A: days before new login or check at upstream IdP is needed
  • B: days until the account is disabled after email notification was send
  • C: days until second email notification
  • D: days until the disabled account is removed completely

If the user did not login during time frame A, the Helmholtz AAI tries to perform an AQ against the upstream IdP. Depending on the result, one of the following actions are triggered:

  • The upstream IdP serves the AQ and user still exists: reset time frame A
  • The upstream IdP serves the AQ and user does not exist: remove user account
  • The upstream IdP is not reachable: re-try at the next day; switch to user-interactive deprovisioning after three consecutive fails
  • The upstream IdP does not support AQs: switch to user-interactive deprovisioning

Each user login during time frame A will reset the time frame.

If the automated check against the upstream IdP was not possible, the user-interactive deprovisioning starts: An email is sent to the user. This email informs the user about the deletion of the account at end of time frame B and asks to login to keep the account. The email also contains information why this email was send and why the automated flow was not possible. At the moment where the email is sent, time frame B and C start. At the end of time frame C a second email is sent to the user as a reminder to the upcoming account deletion. A login during this time frames is going to cancel all further actions and resets the time frame A.

If time frame B ends and the user still did not login, the account is disabled. From this moment, no login is possible anymore and the user must contact the helpdesk. The time frame D starts and the user is going to be deleted at the end of this time frame automatically.

Currently, the time frames on Helmholtz AAI are set to these values:

  • A: 365 days
  • B: 30 days
  • C: 15 days
  • D: 153 days

Overall, the account is fully removed after 1,5 years of inactivity, which covers the most cases of long time absence.

If the upstream IdP supports AQs, the account is not disabled/removed at all.

User deprovisioning timeline

Notification of connected services

All status changes of an account are going to be logged and collected. The log contains the user identifier and the new status. Those information will be distributed to the connected services once per week using the helpdesk system and the deprovisioning queue.

For the future, an automated system with direct information to the services, e.g. via the Helmholtz Cloud agent, is planned.

How can IdPs prepare

The IdP need to configure the attribute queries. Configuration attribute queries can be tested at the development instance of Helmholtz ID. At this instance, the same user deprovisioning extension is running with much shorter timelines. The time frames at the development instance are:

  • Number of days to run attribute: 7
  • Number of days to disable account after email notification: 7
  • Number of days after disabled account is deleted: 7

To test the configured attribute queries, the following steps need to be performed:

  1. Login at the development instance of Helmholtz ID
  2. Wait for seven days without logging in at this instance
  3. If no email was received, the first phase (A) is working correctly
  4. Login after 14 further days and check if no new account is created

Need help?

Contact us if you need help.