We have a requirement to execute the following actions on the employee’s AD account as part of the offboarding process via ISC.
Remove the AD account from all AD groups.
Add the AD account to a Resignee AD group.
Move the AD account to the Disabled OU.
Disable the AD account.
Currently, we are using a Before Provisioning Rule to execute the first 3 actions above on the AD source. Disabling the AD account is configured in the Lifecycle State UI.
Is this the recommended approach or are there any potential risks or downsides in this? What’s the recommended approach to handle this scenario?
Hey Ashwin, Welcome to the community. BPR is great but another way is to handle the removal access from Lifecycle state and assign the new group using a role and move the OU using AC_NewParent in disable policy.
This sounds like a good approach, are you using the Services Standard Before Provisioning rule? That way you wouldn’t need expert services to update it if needed.
Yes, I am using the Services Standard Before Provisioning Rule, however, I’ll have to submit a request to SailPoint Expert Services for rule review/deployment and update. Isn’t this the expected approach? Thanks.
No, you don’t need expert services to deploy the rule, support can deploy it because it’s already approved for use in all tenants. The link @UjjwalJain left has a good answer as well.
Hello @ashwinnatarajan
Looks like majority of your questions have already got answered by our other experts
For AD/Azure AD the use of Services Standard is highlight recommended in conjunction with use of AC_NewParent.
And as Services Standard is a SailPoint created legacy Rule, you dont need ES to deploy it for you in the tenant, support can do it. You just might need to request version update incase the Service Standard Rule gets updates, as its totally SailPoint governed.
And all your use cases can be easily furbished with just eventConfiguration as its gonna simply utilise the Services Standard rule to complete those operations.