13.5 Identifying Purgeable Data

During the cleanup phase of database maintenance, Identity Governance removes the following types of data from the operations database. Optionally, when you choose to start maintenance, you can select Advanced Cleanup Configuration to specify different numbers of retention days for each data entity type you want to clean up.

NOTE:The purge conditions for each data type can change if a new scenario occurs that determines that the conditions change.

Access request

Can be purged only when the request is complete, which includes one of the following states:

  • Request was denied approval

  • Request was declined fulfillment

  • Request was fulfilled and verified

  • Request was fulfilled and verification failed

Analytical facts

Can be purged only when retention time is specified and facts are older than the specified retention time.

Application history

Can be purged at any time.

NOTE:The maintenance process does not clean up this data by default. To clean up this data, you must select this option in Advanced Cleanup Configuration.

Auto fulfillment request

Can be purged when the associated change request item is in a final fulfillment state. Final fulfillment states include:

  • Request refusal

  • Error fulfilling the request

  • Request verified

  • Request not verified and verification ignored

  • Verification timed out

NOTE:The maintenance process does not clean up this data by default. To clean up this data, you must select this option in Advanced Cleanup Configuration.

Business role

Can be purged if it:

  • Has been deleted or it is an old version of a business role

  • Is not referenced from any review definitions or review items

  • Is not referenced from any change request items

Business role authorization

Can be purged when they are deleted. Business role authorizations are marked deleted when a business role detection removes them.

NOTE:The maintenance process does not clean up this data by default. To clean up this data, you must select this option in Advanced Cleanup Configuration.

Business role detection

Can be purged if the business role detection is not currently running, because detection either completed successfully, failed, or was canceled.

NOTE:The maintenance process does not clean up this data by default. To clean up this data, you must select this option in Advanced Cleanup Configuration.

Business role membership

Can be purged when they are deleted. Business role memberships are marked deleted when a business role detection removes them.

NOTE:The maintenance process does not clean up this data by default. To clean up this data, you must select this option in Advanced Cleanup Configuration.

Bulk data update definition

Can be purged if it was deleted.

Category

Can be purged if the category was deleted.

Certification policy

Can be purged if policy was deleted.

Collection

Can be purged if:

  • It is not currently running, and is in a canceled, failed, completed, or terminated state

  • Its data is not part of any snapshot (snapshots containing data from a collection must be purged first)

Data policy

Can be purged if it was deleted.

Data source

Can be purged if it:

  • Is not scheduled for collection

  • Is not currently being collected or published

  • Was deleted

  • Is not part of a snapshot (snapshots containing data from data source must be purged first)

Additionally, when the data source is an application, it can be purged if the application:

  • Is not a parent of another application

  • Is not referenced by a business role

  • Has no permissions referenced by a technical role

  • Has no permissions referenced by a business role

  • Has no permissions referenced by a separation of duty (SoD) policy

Inconsistency detection

Can be purged if the detection has been marked as deleted.

NOTE:The maintenance process does not clean up this data by default. To clean up this data, you must select this option in Advanced Cleanup Configuration.

RTC (Real Time Collection) batch

Can be purged when the data production for the RTC batch (or RTC ingestion) is complete, failed with an error, or was canceled. Real time collection cannot be in progress.

NOTE:The maintenance process does not clean up this data by default. To clean up this data, you must select this option in Advanced Cleanup Configuration.

Remediation run

Can be purged if it is old, based on the timestamp. A remediation run will not be deleted if it is the only run for a policy remediation.

NOTE:The maintenance process does not clean up this data by default. To clean up this data, you must select this option in Advanced Cleanup Configuration.

Request approval policy

Can be purged if:

  • The policy was deleted

  • No requests associated with the policy exist (requests associated with the policy must be purged first)

Request policy

Can be purged if:

  • The policy was deleted

  • No requests associated with the policy exist (requests associated with the policy must be purged first)

Review definition

Can be purged if it:

  • Was deleted

  • Is not referenced by a review instance (review instances must be purged first)

  • Is not referenced by a certification policy (certification policies must be purged first)

  • Is not referenced by a remediation from a certification or data policy

Review instance

Can be purged if it:

  • Is not running, and was canceled, experienced an error, or completed certification

  • Is not referenced by a pending change request item action (is not in a final verified or error state)

NOTE:Materialized views, if any, are purged when review instances are purged.

Risk score status

Can be purged if it:

  • Is in the error, canceled, or completed state

  • Is in completed state, and there is another completed risk score status of the same entity type with a later start time

Separation of Duties detection

A separation of duties (SoD) detection is information associated with an SoD case that keeps track of the detection history for the SoD case. These detections are also purged if an SoD case itself is purged.

The SoD detection purge allows the detection history to be purged without having to purge the SoD case. SoD detection can be purged only if it is not the most recent detection for the SoD case.

NOTE:The maintenance process does not clean up this data by default. To clean up this data, you must select this option in Advanced Cleanup Configuration.

Separation of Duties case

Can be purged if:

  • The case is closed

  • No change request items were made to resolve the case or, if there are change request items associated with the case, they are all in a final verified or error state and not still pending fulfillment

Separation of Duties policy

Can be purged if it:

  • Was deleted

  • Is not referenced in an SoD case (SoD cases should be purged first)

  • No access requests with potential SoD violations for the policy exist (Such access requests must be purged first)

Snapshot

Can be purged if it:

  • Is not the current snapshot of the Identity Governance catalog

  • Is not a precursor to another snapshot

  • Is not referenced by a review instance

  • No Separation of Duties violations exist for users or accounts in the snapshot

  • No technical roles exist that reference permissions in the snapshot

Technical role

Can be purged if it:

  • Was deleted from the Identity Governance catalog

  • Is not referenced by a review instance

  • Is not referenced by an SoD policy

  • Is not referenced by a Review Definition

  • Is not referenced by a business role

Technical role assignment

Can be purged if the technical role assignment was deleted (unassigned).

Unregistered facts

Can be purged when fact tables are available in the schema, even after custom facts are unregistered from fact catalog.