Assigning role by request and removing it automatically at lifecycle change

We have a use case, where we need to delete Admin accounts directly at termination, whereas we first delete normal user accounts at a later lifecycle change. Deletion is done by a workflow.

For this purpose, we have create a requestable role to get the Admin account created in first place, but have also configured assignment criteria to ensure, that the role and access get removed, when the user is terminated. If the role stays, it would recreate the admin account right away after the workflow has deleted it.

That means, we have a role that is both manually assigned and a birthright role at the same time.

So far, this has been working fine, but when onboarding a new source, we realized that this stopped working. Now the role and entitlement do not get removed anymore, which results in the recreation of the Admin account. This happens for the new source, but also for the existing sources, where it had been working before.

I wonder, if something has changed in ISC, or why we are seeing this now.

Have you looked into using the same workflow that deletes the account to first remove the requested role?

image480×270 9.22 KB

image740×492 25.6 KB

Under “Access to Manage” you can filter to just remove the admin role. Place this before your account delete so that the role does not recreate the admin account.

We had configure all entitlements to be removed at lifecycle state change, but somehow there was a timing issue, so the role was not removed before the account was deleted.

We can see that SailPoint has added a new feature in Sandbox, that will allow us to configure deletion of accounts per source and lifecycle change, so we don’t have to do this with a workflow anymore. We have tested the new feature, and it is working for our use case, so we are all good.

Hooray for new features!