Erasure Request

Erasure requests are part of the GDPR compliance portion of Security Settings.

In order to be effective the Erasure Settings section of Security Settings must be populated.

An Erasure request will either:

1. Remove existing ObjectRecords from Identity Panel
2. Remove a User login record from Identity Panel (including login name and any profile settings)

To activate an Erasure request you must have the "Write|ErasureRequest" permission, which by default is only present on the Admin and Writer roles.

Erasure requests are submitted by HTTP POST to /api/erasure

An erasure may be submitted with a Content-Type of application/json or application/bson.

The payload structure is:

{
  Filter: "match value",
  User: true|false,
  Persist: true|false
}

A successful submission will return a 204 No Content response. This response is returned even if no objects were affected by the request.

User: true

Results in the filter being matched against the Azure objectId, or AD objectSid value of user profile objects. If a match is found the profile will be removed.

User: false

Results in the filter being matched against EACH of the Identity Silo / Object Type / Attribute pairs defined in Erasure settings. Any matches are purged from Identity Panel.

Persist: true

If persistence is specified the value will be hashed and compared against incoming objects being saved. A match will prevent the identified object from being added to Identity Panel. Erasure persistence should be used sparingly as a large volume of persisted erasure objects can slow saving of time traveler data.