Schedule a Cleanup Job

The schedule cleanup job repairs or deletes references to unresolvable users and user groups from the internal database. Unresolvable users are users whose designated identity source no longer contains any record of the user. When a user is moved to another identity within the same LDAP directory, the cleanup job repairs the references.

Procedure

  1. In the Security Console, click Setup > Identity Sources > Schedule Cleanup.

  2. To schedule the cleanup job to run, under Cleanup Status, select Enable scheduled cleanup of unresolvable users and user groups from linked identity sources, and all users and user groups from unlinked identity sources. By default, this checkbox is cleared, and the field is disabled.

    If you disable a cleanup that you have configured, the next time that you access this page, all of the fields are reset to the default values and all of the configuration changes that you made previously are lost.

  3. In the Cleanup Limit field, do one of the following:

    • Leave the default.

      By default, this field is enabled and the limit is 50 users. The limit must be a positive number greater than zero. The cleanup is canceled when more than a specified number of unresolvable or unlinked user references are found. The limit helps avoid accidentally disassociating a large number of users from their authentication and authorization data if changes are made to these users directly in their identity source.

    • If you want to clean up all unresolvable users and user groups, clear the Cleanup Limit checkbox.

      Note: Before you delete an identity source that is unlinked, clear this checkbox when you run the cleanup.

  4. In the Grace Period field, do one of the following:

    • Leave the default.

      By default this field is enabled and set to seven days. This value must be a positive number greater than zero. This field is ignored for unlinked identity sources. Only users who have been unresolvable for more than the specified number of days are cleaned. This field helps prevent the cleanup of users that may have been mistakenly removed from the directory or moved to an OU out of scope of the identity source. You have an opportunity to take corrective action before the cleanup.

    • If you want to clean users immediately when they are found to be unresolvable, clear the Grace Period checkbox.

      Note: The Grace Period does not apply to user groups. User groups are deleted immediately after they are found to be unresolvable.

  5. If the Cleanup Limit is exceeded and the cleanup is canceled, run the Users and User Groups Missing From Identity Source report to determine which users you need to clean up. After viewing the report, you can specify a limit that allows the cleanup to run successfully or perform a manual cleanup. For more information, see View a Report Template

    Note: When you use Schedule Cleanup before deleting an unlinked identity source, make sure you clear the Cleanup Limit checkbox so that no limit applies. Also clear this checkbox when you run this job after narrowing the scope of an identity source.

  6. Under Schedule, use the Start field to select the date you want the cleanup to run for the first time.

  7. Use the Frequency fields to select how often, and on which days, you want the cleanup to take place.

  8. Use the Run Time field to specify what time you want the cleanup to run.

  9. Use the Expire fields if you want the settings to expire on a specific date. If you do not select a date, the settings do not expire.

  10. When you are done scheduling cleanup, click Save.

After you finish

After cleaning up users who have been moved to a different identity source, you need to reestablish these users in Authentication Manager by assigning administrative roles and enabling them for authentication.