Activate and Deactivate Accounts

The default Identity Cloud configuration includes two scanning tasks that activate and deactivate a user’s accountStatus, based on their activeDate and inactiveDate. The tasks run once a day by default.

The activate task

The activate task has the following configuration:

{
  "enabled" : false,
  "type" : "simple",
  "repeatInterval" : 86400000,
  "persisted" : true,
  "concurrentExecution" : false,
  "invokeService" : "taskscanner",
  "invokeContext" : {
    "waitForCompletion" : false,
    "numberOfThreads" : 5,
    "scan" : {
      "_queryFilter" : "((/activeDate le \"${Time.nowWithOffset}\") AND (!(/inactiveDate pr) or /inactiveDate ge \"${Time.nowWithOffset}\"))",
      "object" : "managed/realm-name_user",
      "taskState" : {
        "started" : "/activateAccount/task-started",
        "completed" : "/activateAccount/task-completed"
      },
      "recovery" : {
        "timeout" : "10m"
      }
    },
    "task" : {
      "script" : {
        "type" : "text/javascript",
        "globals" : { },
        "source" : "var patch = [{ \"operation\" : \"replace\", \"field\" : \"/accountStatus\", \"value\" : \"active\" }];\n\nlogger.debug(\"Performing Activate Account Task on {} ({})\", input.mail, objectID);\n\nopenidm.patch(objectID, null, patch); true;"
      }
    }
  }
}

When this task is run, a user account is activated if both of the following are true:

  • Their activeDate is less than or equal to the value of Time.nowWithOffset.

  • Their inactiveDate is greater than or equal to the value of Time.nowWithOffset, or they do not have an inactiveDate set.

Time.nowWithOffset is the current time plus the UTC time offset for the user’s geographical region.

The expire task

The expire task has the following configuration:

{
  "enabled" : false,
  "type" : "simple",
  "repeatInterval" : 86400000,
  "persisted" : true,
  "concurrentExecution" : false,
  "invokeService" : "taskscanner",
  "invokeContext" : {
    "waitForCompletion" : false,
    "numberOfThreads" : 5,
    "scan" : {
      "_queryFilter" : "((/inactiveDate lt \"${Time.nowWithOffset}\") AND (!(/activeDate pr) or /activeDate le \"${Time.nowWithOffset}\"))",
      "object" : "managed/realm-name_user",
      "taskState" : {
        "started" : "/expireAccount/task-started",
        "completed" : "/expireAccount/task-completed"
      },
      "recovery" : {
        "timeout" : "10m"
      }
    },
    "task" : {
      "script" : {
        "type" : "text/javascript",
        "globals" : { },
        "source" : "var patch = [{ \"operation\" : \"replace\", \"field\" : \"/accountStatus\", \"value\" : \"inactive\" }];\n\nlogger.debug(\"Performing Expire Account Task on {} ({})\", input.mail, objectID);\n\nopenidm.patch(objectID, null, patch); true;"
      }
    }
  }
}

When this task is run, a user account is deactivated if both of the following are true:

  • Their inactiveDate (expiry date) is less than the value of Time.nowWithOffset.

  • Their activeDate is less than or equal to the value of Time.nowWithOffset, or they do not have an activeDate set.

Time.nowWithOffset is the current time plus the UTC time offset for the user’s geographical region.

Both tasks are disabled by default. To enable them, set "enabled" : true in the schedule configuration for each task.