Hey Team,
I posted the below to the SailPoint Ideas Portal in 2021, the idea was marked as “Future Consideration” in 2023 but we haven’t seen anything to resolve this use case as of yet.
It got me thinking, how do other people handle this use case?
https://ideas.sailpoint.com/ideas/GOV-I-1529
Ability to Move from one Disabled Lifecycle State to another without needing to make a user Active
Currently, in IDN, if there are multiple lifecycle states on a source that have a disable policy, If a user moves from one disabled state to another, nothing on the account will change. This doesn’t sound like a problem initially as the account is already disabled, so why would it need to be disabled again?
However, if there are any other account amendments set up in the provisioning policy, they will not be triggered.
This becomes an issue in the following use case:
Identity Profile has 3 lifecycle states:
Active: AD Account is Enabled and moved to Active OU
Leaver: Ad Account is Disabled and moved to Leaver OU
Suspended: Ad Account is Disabled and moved to Suspended OU
In this scenario, if a user is suspended and found to be innocent, changing the user’s lifecycle state back to Active will trigger the enable policy which will reactivate and move the AD account back to the Active OU.
However, if a user is suspended and found to be guilty, changing the user’s lifecycle state to Leaver from Suspended won’t trigger the disable policy as the user is already disabled which means the user will remain in the Suspended OU rather than moving to the Leaver OU.
The current work around is to manually reenable the account by manually changing the user’s lifecycle state from Suspended to Active, performing a full manual AD Aggregation, then manually setting the user lifecycle state to Leaver, which is quite convoluted.
Best Wishes
Ryan