Adding PR1032 to address account deletion

2020-12-07 17:37:11 -05:00 · 2020-12-07 17:37:11 -05:00 · 02f2507668
commit 02f2507668
parent c2d64a506c
5 changed files with 59 additions and 9 deletions
--- a/server_admin/images/delete-account-landing-screen.png
+++ b/server_admin/images/delete-account-landing-screen.png
--- a/server_admin/images/delete-user.png
+++ b/server_admin/images/delete-user.png
--- a/server_admin/topics/assembly-managing-users.adoc
+++ b/server_admin/topics/assembly-managing-users.adoc
@ -7,6 +7,8 @@ From the Admin Console, you have a wide range of actions you can perform to mana
 include::users/proc-searching-user.adoc[leveloffset=+2]
 include::users/proc-creating-user.adoc[leveloffset=+2]
 include::users/proc-deleting-user.adoc[leveloffset=+2]
+
+include::users/proc-allow-user-to-delete-account.adoc[leveloffset=+2]
 include::users/proc-configuring-user-attributes.adoc[leveloffset=+2]

 include::users/ref-user-credentials.adoc[leveloffset=+2]
--- a/server_admin/topics/clients/oidc/proc-using-a-service-account.adoc
+++ b/server_admin/topics/clients/oidc/proc-using-a-service-account.adoc
@ -56,19 +56,15 @@ Pragma: no-cache
 {
    "access_token":"2YotnFZFEjr1zCsicMWpAA",
    "token_type":"bearer",
-    "expires_in":60,
-    "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
-    "refresh_expires_in":600,
-    "id_token":"tGzv3JOkF0XG5Qx2TlKWIA",
-    "not-before-policy":0,
-    "session_state":"234234-234234-234234"
+    "expires_in":60
 }
 ----

-The retrieved access token can be refreshed or logged out by an out-of-bound request.
+Only the access token is returned by default. No refresh token is returned and no user session is created
+on the {project_name} side upon successful authentication by default. Due to the lack of refresh token, re-authentication is required when the access token expires. However, this situation does not mean any additional overhead for the {project_name} server because sessions are not created by default.
+
+In this situation, logout is unnecessary. However, issued access tokens can be revoked by sending requests to the OAuth2 Revocation Endpoint as described in the <<_oidc-endpoints, OpenID Connect Endpoints>> section.

 [role="_additional-resources"]
 .Additional resources
 For more details, see <<_client_credentials_grant,Client Credentials Grant>>.
-
-
--- a/server_admin/topics/users/proc-allow-user-to-delete-account.adoc
+++ b/server_admin/topics/users/proc-allow-user-to-delete-account.adoc
@ -0,0 +1,52 @@
+[id="proc-allow-user-to-delete-account_{context}"]
+= Enabling Account Deletion by Users
+
+End users and applications can delete their accounts in the Account Console if you enable this capability in the Admin Console. Once you enable this capability, you can give that capability to specific users.
+
+== Enabling the Delete Account Capability
+
+You enable this capability on the *Required Actions* tab.
+
+.Procedure 
+. Click *Authentication* in the menu.
+. Click the *Required Actions* tab.
+. Select *Enabled* on the *Delete Account* row.
+
+.Delete Account on Required Actions tab
+image:images/enable-delete-account-action.png[]
+
+== Giving a User the *delete-account* Role
+
+You can give specific users a role that allows account deletion.
+
+.Procedure
+. Click *Users* in the menu.
+. Select a user.
+. Click the *Role Mappings* tab.
+. From the *Client Roles* list, select *account*.
+. Under *Available Roles, select *delete-account*.
+. Click *Add selected*.
+
+.delete-account role
+image:images/delete-account-client-role.png[]
+
+== Deleting your account
+
+Once you have the *delete-account* role, you can delete your own account.
+
+. Log into the Account Console.
+. At the bottom of the *Personal Info* page, click *Delete Account*.
+
+.Delete Account Page
+image:images/delete-account-page.png[]
+
+. Enter your credentials and confirm the deletion.
+
+.Delete confirmation
+image:images/delete-account-confirm.png[]
+
+[NOTE]
+====
+This action is irreversible. All your data in {project_name} will be removed.
+====
+