During the cleanup phase of database maintenance, Identity Governance removes the following types of data from the operations database. Optionally, when you choose to start maintenance, you can select Advanced Cleanup Configuration to specify different numbers of retention days for each data entity type you want to clean up.
NOTE:The purge conditions for each data type can change if a new scenario occurs that determines that the conditions change.
Can be purged only when the request is complete, which includes one of the following states:
Request was denied approval
Request was declined fulfillment
Request was fulfilled and verified
Request was fulfilled and verification failed
Can be purged only when retention time is specified and facts are older than the specified retention time.
Can be purged at any time.
NOTE:The maintenance process does not clean up this data by default. To clean up this data, you must select this option in Advanced Cleanup Configuration.
Can be purged when the associated change request item is in a final fulfillment state. Final fulfillment states include:
Request refusal
Error fulfilling the request
Request verified
Request not verified and verification ignored
Verification timed out
NOTE:The maintenance process does not clean up this data by default. To clean up this data, you must select this option in Advanced Cleanup Configuration.
Can be purged if it:
Has been deleted or it is an old version of a business role
Is not referenced from any review definitions or review items
Is not referenced from any change request items
Can be purged when they are deleted. Business role authorizations are marked deleted when a business role detection removes them.
NOTE:The maintenance process does not clean up this data by default. To clean up this data, you must select this option in Advanced Cleanup Configuration.
Can be purged if the business role detection is not currently running, because detection either completed successfully, failed, or was canceled.
NOTE:The maintenance process does not clean up this data by default. To clean up this data, you must select this option in Advanced Cleanup Configuration.
Can be purged when they are deleted. Business role memberships are marked deleted when a business role detection removes them.
NOTE:The maintenance process does not clean up this data by default. To clean up this data, you must select this option in Advanced Cleanup Configuration.
Can be purged if it was deleted.
Can be purged if the category was deleted.
Can be purged if policy was deleted.
Can be purged if:
It is not currently running, and is in a canceled, failed, completed, or terminated state
Its data is not part of any snapshot (snapshots containing data from a collection must be purged first)
Can be purged if it was deleted.
Can be purged if it:
Is not scheduled for collection
Is not currently being collected or published
Was deleted
Is not part of a snapshot (snapshots containing data from data source must be purged first)
Additionally, when the data source is an application, it can be purged if the application:
Is not a parent of another application
Is not referenced by a business role
Has no permissions referenced by a technical role
Has no permissions referenced by a business role
Has no permissions referenced by a separation of duty (SoD) policy
Can be purged if the detection has been marked as deleted.
NOTE:The maintenance process does not clean up this data by default. To clean up this data, you must select this option in Advanced Cleanup Configuration.
Can be purged when the data production for the RTC batch (or RTC ingestion) is complete, failed with an error, or was canceled. Real time collection cannot be in progress.
NOTE:The maintenance process does not clean up this data by default. To clean up this data, you must select this option in Advanced Cleanup Configuration.
Can be purged if it is old, based on the timestamp. A remediation run will not be deleted if it is the only run for a policy remediation.
NOTE:The maintenance process does not clean up this data by default. To clean up this data, you must select this option in Advanced Cleanup Configuration.
Can be purged if:
The policy was deleted
No requests associated with the policy exist (requests associated with the policy must be purged first)
Can be purged if:
The policy was deleted
No requests associated with the policy exist (requests associated with the policy must be purged first)
Can be purged if it:
Was deleted
Is not referenced by a review instance (review instances must be purged first)
Is not referenced by a certification policy (certification policies must be purged first)
Is not referenced by a remediation from a certification or data policy
Can be purged if it:
Is not running, and was canceled, experienced an error, or completed certification
Is not referenced by a pending change request item action (is not in a final verified or error state)
NOTE:Materialized views, if any, are purged when review instances are purged.
Can be purged if it:
Is in the error, canceled, or completed state
Is in completed state, and there is another completed risk score status of the same entity type with a later start time
A separation of duties (SoD) detection is information associated with an SoD case that keeps track of the detection history for the SoD case. These detections are also purged if an SoD case itself is purged.
The SoD detection purge allows the detection history to be purged without having to purge the SoD case. SoD detection can be purged only if it is not the most recent detection for the SoD case.
NOTE:The maintenance process does not clean up this data by default. To clean up this data, you must select this option in Advanced Cleanup Configuration.
Can be purged if:
The case is closed
No change request items were made to resolve the case or, if there are change request items associated with the case, they are all in a final verified or error state and not still pending fulfillment
Can be purged if it:
Was deleted
Is not referenced in an SoD case (SoD cases should be purged first)
No access requests with potential SoD violations for the policy exist (Such access requests must be purged first)
Can be purged if it:
Is not the current snapshot of the Identity Governance catalog
Is not a precursor to another snapshot
Is not referenced by a review instance
No Separation of Duties violations exist for users or accounts in the snapshot
No technical roles exist that reference permissions in the snapshot
Can be purged if it:
Was deleted from the Identity Governance catalog
Is not referenced by a review instance
Is not referenced by an SoD policy
Is not referenced by a Review Definition
Is not referenced by a business role
Can be purged if the technical role assignment was deleted (unassigned).
Can be purged when fact tables are available in the schema, even after custom facts are unregistered from fact catalog.