Hi @jsosa , is it possible to get an identifier (like End Date or something) which says identity will be deleted in X days. If yes, then you can utilized that identifier information and let’s say a day before the last day, which is X - 1, you can set a LCS ‘preTermination’ which triggers the workflow and start disabling accounts for the prospective terminated user at least, you can even remove access for the same, it all depends on your termination requirements.
Alternatively, as folks mentioned above, using an identity deletion trigger into your workflow and then either send an email or create a ticket (like in SNOW) for manual fulfillment of access removal is also worth an option based on the understanding that employees aren’t fired that often 
I have replicated this use case in my IDN test tenant. When an account in authoritative source is deleted
- Identity is deleted automatically.
- Target Account is not in Uncorrelated (orphan) list of accounts. It will be there under accounts only with Identity Exception.
Approach 1: Workflow
You can use Identity Deleted Trigger, not sure if you can extract accounts for an Identity that is already deleted and accounts that are in Identity Exception.
Approach 2: WSAO Rule
You can refer Web Services After Operation Rule | SailPoint Developer Community
The response has the data of user (ResourceObject), you can add an attribute to the map.
Key: lastAggregated
Value: Current Date
Whatever the user is deleted in HR source, it will not have lastAggregated attribute value as current date, it will be old date.
For LCS attribute, use date compare transform to return Active and Inactive. Based on the LCS you can automate the disable or delete accounts.
I suggest you to go with Approach 2. Deleting an Identity immediately after they leave the organization is never a good approach.
It’s never about getting output, it’s always the approach that decides whether your solution is efficient, optimized and quality.
However I think SailPoint should change the Product behavior when an authoritative source account gets deleted,
Instead of deleting Identity, you can change it’s LCS to No Authoritative Source or something similar. We can play around on these Identities based on LCS.
Thanks
Krish
2 Likes
Thanks @MVKR7T ! I absolutely agree that deletion should be taken as a lcs, I was involved in many idm projects and 2 things are standard, the first one is to conserve identity for audit purposes, and the second is that when employees leaves organiazation, several organizations perform, sometimes complex, workflows doing things on accounts besides simply disabling. Luckily, client is now evaluating in modify their hr web services to include leaver users.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.