We are planning to flip on a Lifecycle State for an Identity profile with the intention of setting the Identity State to Inactive (Long-Term) to exclude those identities from identity refreshes.
Currently no source account operations are configured on this lifecycle state (which is intended). I am anticipating that when the LCS is turned on and the identity state is applied, the only impact should be the identities are no longer included in the refreshes.
Is there any other considerations to be made, or other impacts that may arise from this change to these particular identities?
When an identity is moved to Inactive (long-term), it is generally taken out of the normal ongoing sync flow, so it will no longer be processed by the standard SYNCHRONIZE_IDENTITIES job the same way active identities are.
The part I’d call out is that there is still one important action at transition time: SailPoint performs a final attribute sync when the identity enters that long-term inactive state. So even if you are not driving any account operations from the source, there is still that last synchronization event to be aware of.
Also, long-term inactive identities are not surfaced in most ISC services, so this can affect visibility for search, reporting, and some governance/operational use cases. That is usually the bigger consideration beyond just “will it sync again?”
So in practice, enabling LCS on the identity profile for identity states is a reasonable way to stop those identities from continuing through the normal processing path — just make sure you are comfortable with:
the one-time final sync on transition
reduced visibility in ISC
the fact that future updates would usually require manual or targeted reprocessing
I’d definitely test it with a small pilot set first before applying it broadly.
We are in the midst of testing this via our test environment. One interesting outcome was that for all of the identities included in that LCS & identity profile, an identity refresh account activity was generated that mentions the identity was removed from a role and added to a role.
The NPA role seems to be the identity profile and the inactive role seems to be the lifecycle state. Any idea why the system does this?
One additional thing worth calling out: Inactive (long-term) is usually best thought of as an archive state, not only a sync control.
SailPoint will still do a final attribute sync when the identity transitions into that state, but after that the identity is generally outside the normal ongoing processing flow. The bigger impact is often operational reduced visibility in ISC for search, reporting, and follow-up handling.
So if the goal is to stop normal churn for those identities, enabling LCS on the identity profile makes sense. I’d just recommend piloting it first to confirm the transition behavior and make sure your team is okay with the visibility tradeoff and any exception handling later.
