[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15532692#comment-15532692 ]
Dominique Jäggi commented on OAK-4825: -------------------------------------- [~alexander.klimetschek], thanks for the patch, i am reviewing it. please provide an additional patch for the missing documentation (oak-doc module) of this enhancement / additional config / behavior of the external auth module. > Support disabling of users instead of removal in DefaultSyncHandler > ------------------------------------------------------------------- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external > Reporter: Alexander Klimetschek > Attachments: OAK-4825-b.patch, OAK-4825.patch > > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do unnecessary operations. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging completely, aka they won't be removed nor disabled, and > the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the JCR users look like "valid" users then locally. Even > if the authentication is done completely through the IDP and will fail > properly for these missing users, it can be difficult for other uses like > administration, monitoring, other application code to detect that such a user > is not active anymore.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)