Ability to Move from one Disabled Lifecycle State to another without needing to make a user Active

Hey Team,

I posted the below to the SailPoint Ideas Portal in 2021, the idea was marked as “Future Consideration” in 2023 but we haven’t seen anything to resolve this use case as of yet.

It got me thinking, how do other people handle this use case?

https://ideas.sailpoint.com/ideas/GOV-I-1529

Ability to Move from one Disabled Lifecycle State to another without needing to make a user Active

Currently, in IDN, if there are multiple lifecycle states on a source that have a disable policy, If a user moves from one disabled state to another, nothing on the account will change. This doesn’t sound like a problem initially as the account is already disabled, so why would it need to be disabled again?

However, if there are any other account amendments set up in the provisioning policy, they will not be triggered.

This becomes an issue in the following use case:

Identity Profile has 3 lifecycle states:

Active: AD Account is Enabled and moved to Active OU

Leaver: Ad Account is Disabled and moved to Leaver OU

Suspended: Ad Account is Disabled and moved to Suspended OU

In this scenario, if a user is suspended and found to be innocent, changing the user’s lifecycle state back to Active will trigger the enable policy which will reactivate and move the AD account back to the Active OU.

However, if a user is suspended and found to be guilty, changing the user’s lifecycle state to Leaver from Suspended won’t trigger the disable policy as the user is already disabled which means the user will remain in the Suspended OU rather than moving to the Leaver OU.

The current work around is to manually reenable the account by manually changing the user’s lifecycle state from Suspended to Active, performing a full manual AD Aggregation, then manually setting the user lifecycle state to Leaver, which is quite convoluted.

Best Wishes

Ryan

Ryan , you can achieve this with a Before Provisioning rule like the Standard services One

1 Like

Or via AC_NewParent and ‘Account Update’. You just need to have a sync’d attribute changing on the source.
I have 2 identity attributes
Active Parent OU - where they should be
Actual Parent OU - where they are,
And then this logic to move them:

"value": "#if($activeParentOU != $actualParentOU)$activeParentOU#{else}#end",
                    "activeParentOU": {
1 Like

Interesting way to do it, I’ve recently started doing something similar, using AC_NewParent and lifecycle states to move the user depending on their lifecycle state. However, you method is a catch all that avoids having to modify the transform if more lifecycle states are created.