Skip to main content

Delete User

cidaas provides secure user deletion capabilities with GDPR compliance, supporting both scheduled deletion (with grace period) and immediate deletion.

Purpose and Benefits

What is User Deletion?

User deletion allows administrators and users to permanently remove user accounts from cidaas. The system supports two deletion methods: scheduled deletion (with a grace period and cancellation option) and immediate deletion (permanent removal without grace period).

Key Benefits

BenefitDescription
GDPR ComplianceEnsures compliance with General Data Protection Regulation requirements for data deletion
Retention ManagementConfigurable retention periods to comply with legal, regulatory, or business requirements
User ControlUsers can schedule their own account deletion through self-service
Grace PeriodScheduled deletion includes a grace period with cancellation option via email link
Immediate DeletionAdmin can delete users immediately when required (no grace period)
Webhook IntegrationAutomatic webhook events for integration with external systems
Audit TrailTrack deletion events through webhook notifications

When to Use User Deletion

  • GDPR Compliance: Fulfill user requests for data deletion
  • Account Cleanup: Remove inactive or obsolete user accounts
  • Data Retention: Manage data retention periods according to policies
  • User Self-Service: Allow users to delete their own accounts
  • Administrative Cleanup: Remove accounts that are no longer needed

Deletion Methods

MethodDescriptionGrace PeriodCancellation
Scheduled DeletionUser or admin schedules deletion for future dateYes (configurable)Yes (via email link)
Immediate DeletionAdmin deletes user immediatelyNoNo

Prerequisites

Before deleting users:

  • ✅ Admin permissions for immediate deletion
  • ✅ User token for self-service deletion
  • ✅ Instance settings configured for retention period (delete_unregistered_users_after_seconds)
  • ✅ Email templates configured (for scheduled deletion)

User Deletion Flow

The following sequence diagrams illustrate both scheduled and immediate deletion processes:

Scheduled Deletion Flow

Immediate Deletion Flow

Flow Steps Explained

Scheduled Deletion

  1. User/Admin Schedules Deletion

  2. Deletion Scheduled

    • System schedules deletion based on delete_unregistered_users_after_seconds (instance setting)
    • Fact event ACCOUNT_DELETION_SCHEDULED is sent to external systems
    • User receives email with cancellation link

  3. User Receives Email

    • Email contains cancellation link
    • User can cancel deletion by clicking the link
    • Cancellation triggers ACCOUNT_ACTIVATED event

  4. Retention Period

    • System counts down the retention period
    • User can cancel at any time during this period

  5. Deletion Executed

    • After retention period expires, user account is deleted
    • Fact event ACCOUNT_DELETED is sent to external systems

Immediate Deletion

  1. Admin Deletes User

  2. User Deleted Immediately

    • User account is deleted immediately (no grace period)
    • All user data is removed
    • Fact event ACCOUNT_DELETED is sent to external systems

  3. No Cancellation or Email

    • Deletion cannot be cancelled
    • No email notification is sent (unlike scheduled deletion)

Important Details

Required Permissions

Scheduled Deletion

  • User Self-Service: User token with profile scope
  • Admin: Admin token with cidaas:users_write scope

Immediate Deletion

  • Scope: cidaas:users_delete
  • Roles: admin, secondary_admin, or user_delete (in CIDAAS_ADMINS group)
  • Note: Can use ANONYMOUS token (client_credentials) with cidaas:users_delete scope, or admin permissions

Deletion Methods

Use Cases:

  • User-initiated account deletion
  • GDPR compliance with grace period
  • Data retention management

Features:

  • Configurable retention period (delete_unregistered_users_after_seconds)
  • Email notification with cancellation link
  • User can cancel deletion during grace period
  • Webhook events: ACCOUNT_DELETION_SCHEDULED, ACCOUNT_DELETED, ACCOUNT_ACTIVATED (if cancelled)

Endpoints:

2. Immediate Deletion

Use Cases:

  • Administrative cleanup
  • Immediate account removal required
  • No grace period needed

Features:

  • No grace period
  • No cancellation option
  • Immediate removal of all user data
  • No email notification sent
  • Webhook event: ACCOUNT_DELETED

Endpoint:

Email Templates

Template Key: UN_REGISTER_USER_ALERT

Used when deletion is scheduled (scheduled deletion only).

Template Variables:

  • {{name}} - User's full name
  • {{cancellation_link}} - Link to cancel scheduled deletion
  • {{account_name}} - Organization/tenant name
  • {{deletion_date}} - Date when account will be deleted

What the User Receives:

  • Email notification about scheduled deletion
  • Cancellation link to cancel the deletion
  • Information about deletion date
  • Account/organization name

Note:

  • Template configuration may vary based on instance settings
  • Immediate deletion does not send any email notification

Webhooks and Facts

When users are scheduled for deletion or deleted, fact events (webhooks) are sent:

Event Types

  • ACCOUNT_DELETION_SCHEDULED: User account is scheduled for deletion

    • Object Type: users
    • Object ID: The sub (unique user identifier)
    • Webhook Attributes: ["sub", "createdTime"]
    • Triggered: When deletion is scheduled (via POST /users-srv/user/unregister/scheduler/schedule/{sub} or DELETE /users-srv/user/unregister/{sub})

  • ACCOUNT_DELETED: User account has been deleted

    • Object Type: users
    • Object ID: The sub (unique user identifier)
    • Webhook Attributes: ["sub"]
    • Triggered: After retention period expires or immediate deletion

  • ACCOUNT_ACTIVATED: Scheduled deletion was cancelled

    • Object Type: users
    • Object ID: The sub (unique user identifier)
    • Webhook Attributes: ["sub"]
    • Triggered: When user cancels scheduled deletion via email link

Use Cases

  • Track deletion events in external systems
  • Monitor GDPR compliance
  • Integrate with data retention systems
  • Audit user account lifecycle

Retention Period Configuration

The retention period is configured at the instance level:

  • Setting: delete_unregistered_users_after_seconds
  • Default: Typically 2 days (varies by instance)
  • Purpose: Provides grace period for users to cancel deletion
  • Configuration: Set by instance administrators

Groups & Roles

Required Roles

OperationRequired RolesScope
Schedule Deletion (User)User (self-service)profile
Schedule Deletion (Admin)admin, secondary_admin, user_deletecidaas:users_write
User Self-Service DeletionUser (self-service)profile
Immediate Deletionadmin, secondary_admin, user_deletecidaas:users_delete

Admin Dashboard: Delete User

Required Roles: admin, secondary_admin, or user_delete

Immediate Deletion via Admin Dashboard

  1. Navigate to Users > User Search
  2. Search for the user
  3. Click Edit User
  4. Scroll to the bottom
  5. Click Delete

Result: User account is deleted immediately without grace period.

Watch Out!

Immediate deletion cannot be cancelled. The account is deleted permanently without any grace period.

Technical Integration

EndpointMethodDescriptionLink
Schedule User DeletionPOSTSchedule user deletion with grace period (user or admin)POST /users-srv/user/unregister/scheduler/schedule/:sub
User Self-Service DeletionDELETEUser schedules own account deletion (requires profile scope)DELETE /users-srv/user/unregister/:sub
Immediate DeletionDELETEDelete user immediately (admin only, requires cidaas:users_delete scope)DELETE /user-srv/users/:sub
TopicDescriptionLink
Create UserCreate new user accountsCreate User
Invite UserInvite users to registerInvite User
Update AccountModify user profileUpdate Account
User GroupsAccess controlUser Groups
Account StructureUser data modelAccount Structure

Need Support?

Please contact us directly on our support page.