Data privacy regulations or policies may require you to delete this data, for example, when the user has left your organization. To delete shadow users using APIs, set up access to the API and then use the SCIM REST APIs to retrieve and delete the users.
The security administrator must have the following scopes:
-
xs_user.read -
xs_user.write
When handling personal data, consider the legislation in the various countries and regions where your organization operates. After the data has passed the end of purpose, regulations might require you to delete the data. For more information on data protection and privacy, see the related link.
The User Account and Authentication service stores user-related data records in the form of shadow users. The UAA uses the information of the shadow users to issue tokens that refer to the specific user. If automatic shadow user creation is enabled, the UAA creates the shadow users when the user authenticates. Otherwise, the UAA creates the shadow user as soon as you assign the user a role collection. These conditions apply to platform users and business users. For more information about shadow users, see the Cloud Foundry documentation.
Administrators can also delete users using the SAP BTP cockpit. For more information, see Delete Users.
-
Enable API access to your subaccount.
For more information, see Get Access to the APIs.
-
Use the GET method for the User Management (SCIM) API of the SAP Authorization and Trust Management service to get a list of users.
For more information about the User Management (SCIM) API, see https://api.sap.com/package/authtrustmgmnt on SAP Business Accelerator Hub.
The API returns the list of users in JSON format.
-
Use your own tools to sort and identify the users in the JSON response to delete.
Users, who have left your organization, haven't logged on recently. Use the
lastLogonTimeparameter to find users who haven't logged on in the last 180 days. ThelastLogonTimeparameter is in UNIX time.The last logon time you filter for varies from situation to situation. The filter value must meet the following requirements:
-
Be long enough that the filter doesn't catch users who are simply on vacation or don't work regularly in the system.
-
Not be so long that the filter no longer meets your data protection and privacy requirements.
Account for users on parental leave or on a longer leave of absence, too.
You can't undo the deletion of a user. When you delete a user, you delete any direct assignments of role collections to that user. You also potentially invalidate any application referencing that user.
For example, an application saves some data relating to a user. When you delete the user, that data points to an ID that no longer exists. You can recreate the user, but the new user has a different ID, even though other attributes, such as e-mail, first name, and last name, are identical.
-
-
Use the DELETE method and the list of user IDs to delete the shadow users one at a time.
For each user, call the
Usersendpoint with the delete method and include the user ID in the path. For example:curl --location --request DELETE 'https://api.authentication.eu20.hana.ondemand.com/Users/a0a67e6f-c4b5-41e5-b871-6fa181d46599' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Accept: application/json' \ --header 'Authorization: bearer eyJqdGkiOiJmZmZl…'For more information about the User Management (SCIM) API, see https://api.sap.com/package/authtrustmgmnt on SAP Business Accelerator Hub.
Related Information
https://docs.cloudfoundry.org/uaa/uaa-concepts.html#%23shadow
Switch Off Automatic Creation of Shadow Users
Delete Shadow Users for Data Protection and Privacy Using the Cockpit