Account disable after role removal

Pradeepkthcl · August 15, 2024, 6:09pm

I have one required role if user Join organization(Requestable not a birth right).
No issue we provision that access along with account creation .
Other requirement ,If that role get deprovision through any process then Account should get disable.
is there anyway to do that without putting the logic in post/pre/prov rule.

Thanks
~PT

enistri_devo · August 15, 2024, 6:41pm

Hi @Pradeepkthcl,

at end, for this case, insert the logic in the after or before provisioning rule is the best way, because you disable the account with the deprovisioning of role/and own entitlement).

Also, you can put this logic in a costomization rule, but this rule will be execute during aggregation. So, in this case you need to wait the aggregation, that change the account and make another refresh.

Other case, if the account is the source of identity. In this case you can manage the status of account like the status of identity and manage all with the lifecycle.

vishal_kejriwal1 · August 15, 2024, 8:35pm

You can’t do with just ootb configuration , you need to write the logic in workflow or before provisioning rule , or custom task / rule , whatever approach you take .

bhanuprakashkuruva · August 16, 2024, 1:56am

Hi @Pradeepkthcl ,

No, by default we don’t have that feature that if the role is disabled then account should be disable. So for that what we can do is, we can write a logic in before provisioning rule like if attribute request is remove operation then delete. But here one important thing is, you won’t get plan simply in before provisioning rule (if you haven’t add provisioning policy form in which add the application). So for that what you have to is. Add a role provisioning policy form in the business role, in the form you add the application (ideally whatever groups you wish add, that application). And then check plan in the before provisioning rule of application what you mentioned (add loggers to check it). And later you can whatever you want to do like disable or delete and add that request to plan object with code.

The reason for this is if you seen the plan the account request for plan will be IIQ not for the specific application because it is role.

Please let me know if you need more information.

system · October 15, 2024, 1:57am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
AD Before Provisioning rule not working as expected ISC Discussion and Questions identity-security-cloud , provisioning	5	249	July 1, 2024
How to enable account when user raises for role/ptiv IIQ Discussion and Questions identityiq , jdbc-connector	2	146	May 24, 2024
Workflow leaver - AD disable changed automatically to create IIQ Discussion and Questions workflows , identityiq , provisioning , roles	6	100	January 17, 2025
Can we disable the associated account when we revoke the role ISC Discussion and Questions identity-security-cloud , roles , access-requests	8	546	November 17, 2023
Do not deprovision access when removing Role ISC Discussion and Questions rules , identity-security-cloud , roles , entitlements	2	922	July 19, 2023

Account disable after role removal

Related topics