I have one required role if user Join organization(Requestable not a birth right).
No issue we provision that access along with account creation .
Other requirement ,If that role get deprovision through any process then Account should get disable.
is there anyway to do that without putting the logic in post/pre/prov rule.
at end, for this case, insert the logic in the after or before provisioning rule is the best way, because you disable the account with the deprovisioning of role/and own entitlement).
Also, you can put this logic in a costomization rule, but this rule will be execute during aggregation. So, in this case you need to wait the aggregation, that change the account and make another refresh.
Other case, if the account is the source of identity. In this case you can manage the status of account like the status of identity and manage all with the lifecycle.
You can’t do with just ootb configuration , you need to write the logic in workflow or before provisioning rule , or custom task / rule , whatever approach you take .
No, by default we don’t have that feature that if the role is disabled then account should be disable. So for that what we can do is, we can write a logic in before provisioning rule like if attribute request is remove operation then delete. But here one important thing is, you won’t get plan simply in before provisioning rule (if you haven’t add provisioning policy form in which add the application). So for that what you have to is. Add a role provisioning policy form in the business role, in the form you add the application (ideally whatever groups you wish add, that application). And then check plan in the before provisioning rule of application what you mentioned (add loggers to check it). And later you can whatever you want to do like disable or delete and add that request to plan object with code.
The reason for this is if you seen the plan the account request for plan will be IIQ not for the specific application because it is role.