Assitance with ISC Workflow – Removing Entitlements & Disabling Account on Last Entitlement Removal

Hi everyone,

I’m new to SailPoint Identity Security Cloud (ISC) and need some help with designing two related workflows for a CyberArk Privilege Cloud Shared Service SaaS source.

Requirement 1 – Remove CyberArk Entitlements when Identity Becomes Inactive

When an identity becomes inactive or terminated, the CyberArk account gets successfully disabled. However, the CyberArk entitlements remain linked to the identity/account.

I’m building a workflow (screenshot attached) to handle this cleanup.

image742×635 27 KB

The issue I’m facing:
I’m unable to filter the access items to only process CyberArk entitlements.

Could someone please share:

• A working filter expression or query that limits the entitlements to only those from a specific source (CyberArk in my case) and in which step should I place the same?

• Or an alternate approach/workflow pattern to safely remove only CyberArk entitlements when the identity is terminated?

Requirement 2 – Disable CyberArk Account When Last Entitlement Is Removed

In this case, the identity remains active, but if the last CyberArk entitlement is removed (manually or through role revocation), I need to automatically disable the CyberArk account.

I’ve tried using the Provisioning Completed trigger, but I need a filter that only captures:

• operation = Remove, and

• source = CyberArk Privilege Cloud Shared Service SaaS.

Additionally, what would be the best way to:

• Check whether this was the last entitlement removed, and

• If yes, disable the CyberArk account.

Any suggestions or examples on how to structure this logic (filters, operators, or expressions) would be greatly appreciated.

Thank you in advance for your time and guidance!

Hi @KaranGulati025

If you’re currently implementing your workflow, one possible solution would be to use the new “ISC Remove All Access” feature.

With this feature, you can configure removal of access directly through lifecycle state configuration.

Once you activate Remove All Access, you can then specify sources in the “Disable Accounts” section (for example, your CyberArk source).

When a user transitions to that particular lifecycle state, all of their access will be removed, and their accounts will be deactivated automatically.

image3522×1817 258 KB

You can find the full announcement here: New Capability: Remove All Access on Termination - Announcements / Product News - SailPoint Developer Community

I don’t think selecting the source in the enable/disable section will limit the access removal to just that source. Remove All Access does exactly that, it removes all detected access items except for anything given by a birthright role and anything given by the configured LCS. You may want to test that with a test identity before configuring it.

You will need to handle this via Before Provisioning Rule,

you can check the operation and if it is Disable then update the Provisioning Plan to include Remove all entitlements.

Compare the Entitlements being removed with the current entitlements of the user, then change operation to Disable

You’re absolutely right here. Enabling or disabling individual sources has no impact on the “Remove All Access” option. This option operates independently and is designed to revoke all entitlements across every source where the identity holds accounts and we’ve tested this.

Thank you for your response and for sharing the “Remove All Access” feature, I did review that announcement.

In our case, we don’t want to enable Remove All Access, since that would remove access from all connected sources.
The requirement here is to specifically target and remove only the CyberArk entitlements (while leaving access to other systems intact).

That’s why I’m trying to build this logic through a workflow that filters and processes only the CyberArk source.

Hi @iamology,

Thank you for your suggestion.

I actually started by implementing this logic through the Before Provisioning Rule that SailPoint provides (I’ve attached the PDF reference for context).
Services Standard IdentityNow BeforeProvisioning Rule - README.pdf (68.5 KB)

However, I ran into some issues. Specifically, the account was being disabled successfully, but the entitlements were not getting removed.

I’ve detailed that problem in another post here: https://developer.sailpoint.com/discuss/t/cyberark-saas-connector-account-disables-successfully-but-entitlements-not-removed-when-last-role-is-revoked/186282/1

If you could take a look at that thread, I’ve shared the full configuration and the behaviour I’m observing. Any guidance on resolving that would be really appreciated.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.