Nothing lasts forever, and that includes user profiles. Because of that, administrators have the ability to delete a user profile and, by extension, to prevent the affected user from logging on to the site (at least by using the deleted account). To delete a user profile:
- From the Manage Profiles page, click the user account to be deleted.
- On the Edit User Profile page, scroll to the bottom of the page and then click Delete Profile.
- In the Would you like to delete this profile? Dialog box, click Yes.
Clicking Yes deletes the account. By default, however, that same user (or any other user) can create a new account using the same email address, display name, password, etc. To prevent people from using a specific account (for example, if you don’t want anyone logging on as firstname.lastname@example.org), don’t delete the account; instead, set the deactivateAccount attribute of the account to the current date and time (or, technically, any day and time). If anyone tries to log on using a deactivated account that logon attempt will fail:
It's important to note that putting any datetime value in the deactivateAccount attribute instantly deactivates the account. Among other things, that means that you can't schedule an account for deactivation. For example, suppose today is November 5, 2020 and you want to deactivate an account on January 1, 2021. Consequently, you enter the following deactivation date:
2021-01-02 00:00:00.000000 +0000
However, as soon as you save the user profile the account will immediately be deactivated. That's because, any time a user tries to authenticate, the Identity Cloud only checks to see if a value of some kind has been entered for the deactivateAccount attribute. If it has, then the user is denied access regardless of the actual date that was entered. In other words, if you want this user to be able to log on until January 1, 2021 then you must wait until January 1, 2021 to update the deactivateAccount attribute and deactivate the account. Putting in a datetime value of January 1, 2021 will not delay deactivation. It just doesn't work that way.
In addition to deleting an occasional “bad” profile, you might also want to delete stale user profiles (this helps minimize the size of your user database). For example, if you search on the lastUpdated attribute, you can determine which users have not logged on in, say, the past 6 months (the lastUpdated attribute is changed each time a user logs on.) You can then delete those stale user profiles one-by-one.