During the cleanup phase of database maintenance, Identity Governance removes the following types of data from the operations database.
Can be purged when there are no access requests that reference the approval policy and the policy is deleted.
Can be purged when there are no access requests that reference the policy and the policy is deleted.
Can be purged only when the request is complete, which includes one of the following states:
Request was denied approval
Request was declined fulfillment
Request was fulfilled and verified
Request was fulfilled and verification failed
Can be purged only when retention time is specified and facts are older than the specified retention time.
Can be purged if it:
Has been deleted or it is an old version of a business role
Is not referenced from any review definitions or review items
Is not referenced from any change request items
Can be purged if it was deleted.
Can be purged if the category was deleted.
Can be purged if policy was deleted.
Can be purged if the violation was resolved.
Can be purged if:
It is not currently running, and is in a canceled, failed, completed, or terminated state
Its data is not part of any snapshot (snapshots containing data from a collection must be purged first)
Can be purged if it was deleted.
Can be purged if the violation was resolved.
Can be purged if it:
Is not scheduled for collection
Is not currently being collected or published
Was deleted
Is not part of a snapshot (snapshots containing data from data source must be purged first)
Additionally, when the data source is an application, it can be purged if the application:
Is not a parent of another application
Is not referenced by a business role
Has no permissions referenced by a technical role
Has no permissions referenced by a business role
Has no permissions referenced by a separation of duty (SoD) policy
Can be purged if:
The policy was deleted
No requests associated with the policy exist (requests associated with the policy must be purged first)
Can be purged if:
The policy was deleted
No requests associated with the policy exist (requests associated with the policy must be purged first)
Can be purged if it:
Was deleted
Is not referenced by a review instance (review instances must be purged first)
Is not referenced by a certification policy (certification policies must be purged first)
Is not referenced by a remediation from a certification or data policy
Can be purged if it:
Is not running, and was canceled, experienced an error, or completed certification
Is not referenced by a pending change request item action (is not in a final verified or error state)
NOTE:Materialized views, if any, are purged when review instances are purged.
Can be purged if it:
Is in the error, canceled, or completed state
Is in completed state, and there is another completed risk score status of the same entity type with a later start time
Can be purged if:
The case is closed
No change request items were made to resolve the case or, if there are change request items associated with the case, they are all in a final verified or error state and not still pending fulfillment
Can be purged if it:
Was deleted
Is not referenced in an SoD case (SoD cases should be purged first)
No access requests with potential SoD violations for the policy exist (Such access requests must be purged first)
Can be purged if it:
Is not the current snapshot of the Identity Governance catalog
Is not a precursor to another snapshot
Is not referenced by a review instance
No Separation of Duties violations exist for users or accounts in the snapshot
No technical roles exist that reference permissions in the snapshot
Can be purged if it:
Was deleted from the Identity Governance catalog
Is not referenced by a review instance
Is not referenced by an SoD policy
Is not referenced by a Review Definition
Is not referenced by a business role
Can be purged if the technical role assignment was deleted (unassigned).
Can be purged when fact tables are available in the schema, even after custom facts are unregistered from fact catalog.
NOTE:The purge conditions for each data type can change if a new scenario occurs that determines that the conditions change.
There are a few entity types for which the data is not cleaned up by default, to clean up those data you have to access Advanced cleanup options > show, then select the entity type or specific instances for clean up. For more information on cleaning up specific data, see Section 12.3.1, Cleaning up Purgeable Data.
Can be purged when the account record is marked as history and resides in the special history container.
Can be purged when the account upload data production is complete and the container that contains the entities created during the upload is not a part of the current snapshot.
Can be purged at any time.
Can be purged when the associated change request item is in a final fulfillment state. Final fulfillment states include:
Request refusal
Error fulfilling the request
Request verified
Request not verified and verification ignored
Verification timed out
Can be purged when they are deleted. Business role authorizations are marked deleted when a business role detection removes them.
Can be purged if the business role detection is not currently running, because detection either completed successfully, failed, or was canceled.
Can be purged when they are deleted. Business role memberships are marked deleted when a business role detection removes them.
There are three types of data production that can be purged:
Can be purged if:
Collection is not running
Version column is not previous or current
Publish change production does not reference the collection (publish changes production including child production associated with the collection must be purged first)
Entity container does not have entities that reference the collection or any of its child data collection
Can be purged if the publish all production is not running for an application and the entity container does not have entities that reference the production. However, snapshots containing the publication must be purged first.
Can be purged if:
The publish changes production is not running for an application
The entity container does not have entities that reference the production
The publish changes production is not the latest that is run for the application. The latest production is retained.
Can be purged if the detection has been marked as deleted.
Can be purged at any time.
Can be purged when the permission record is marked as history and resides in the special history container.
Can be purged when the permission upload data production is complete and the container that contains the entities created during the upload is not part of the current snapshot.
Can be purged when the data production for the RTC batch (or RTC ingestion) is complete, failed with an error, or was canceled. Real time collection cannot be in progress.
Can be purged if it is old, based on the timestamp. A remediation/action process will not be deleted if it is the only run for a policy remediation.
A separation of duties (SoD) detection is information associated with an SoD case that keeps track of the detection history for the SoD case. These detections are also purged if an SoD case itself is purged.
The SoD detection purge allows the detection history to be purged without having to purge the SoD case. SoD detection can be purged only if it is not the most recent detection for the SoD case.
Can be purged when the user record is marked as history and resides in the special history container.
Can be purged if the user upload data production is complete and the container that contains the entities created during the upload is not part of the current snapshot.
Can be purged anytime. The merged histories are purged based on the Merge Event Time.