how do i lock a Managed Object so that it cannot be deleted?


This topic has 2 replies, 2 voices, and was last updated 5 months, 2 weeks ago by [email protected].

  • Author
  • #28482

    I have a requirement to lock a Managed Object so that it cannot be deleted for x months, but update its status to DELETED

    the way I think I can do this is to create a locked flag i.e property that has a locked date and protect it so that it cannot be deleted via a PATCH request. In order to stop the object from actually being deleted I can throw an error of a BAD REQUEST indicating that it cannot be deleted from the console. In order to detect if the DELETE operation is from the console I would need to interrogate the context and determine if it came from an external REST request so that the internal scheduled task could delete it.

    Is there a simplier option that I have overlooked?

     Bill Nelson

    If you have permissions to delete the object, then there is nothing in the product that specifically prevents an object from being deleted. This is especially true if you are performing the action as someone with the openidm-admin role. But be advised that if they have access to the Admin Console, then they do have that role and you cannot prevent the deletion.

    Now, having said that, there are a couple of things that you can try.

    1. Use IDM’s delegated administration capability. Create a new service account that handles profile updates via REST or the End User Console and give that account permissions to ONLY read, write, and update the managed object. Do not allow them to delete managed objects. Then perform all management of accounts using that service account. You could also have a postModify hook that creates a task to delete the user after X days. Or you could add a deletion date associated with the user and run a scheduled job that deletes users that have reached a particular date. Either of these would allow you to delete the object automatically. You should also, create a different service account that does nothing but read and delete in case you need to perform the deletion operation specifically. Of course you could do that through the Admin Console as well.

    2. Create a custom endpoint to perform object management. Check the method in the endpoint logic and if it is DELETE, check to see if the object has the right conditions to allow it to be deleted (flag set, deletion date reached, etc.) If not, then return an error of Method not Allowed (or something). If the method is anything but a DELETE, then process it accordingly (i.e. set the conditions for the record to be deleted in the future and override any properties passed in as necessary).

    Again, if someone with the openidm-admin roles uses the Admin Console or calls the default object endpoint, there really is not much you can do. So the best way to handle this (IMHO) is to use some sort of situational logic (delegated amdin or custom).



    Thanks for the details. This is how i solved it.

    On the Managed Object onDelete Script I added

    if (!(object.status == "REVOKING"  || object.status == "REVOKED")) {
      throw {
        code : 400,
        message : "Cannot Delete Certificate in its current state.",
        detail: {
          description : "The Certificate is not in a REVOKING state and therefore cannot be deleted", 
          severity : "Fatal"
    } else {
      if (context.caller.external) {
        openidm.patch("managed/Certificate/"+object._id, null, [ 
            "operation" : "replace", 
            "field" : "/expireson/date", 
            "value" : -1 
        throw {
          code : 400,
          message : "Cannot Delete Certificate in the UI",
          detail: {
            description : "The Certificate can only be deleted via a Scheduled Task", 
            severity : "Fatal"

    This way it checks to see if the Managed Object is in a state it can be deleted and if not issue a 400 response. If it is then check the caller context and if it is external then response with a 400 response saying it cannot be deleted this way. I then have a scheduled task that can actually perform the delete operation.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?