Best Practices for Automating Leaver/Offboarding Scenarios with Delayed Entitlement Removal

We are working on refining our Leaver (offboarding) processes in IdentityNow, and I’m looking for insights on how others are handling a common scenario: delayed entitlement removal.

For example, when an employee is terminated, our policy requires:

Immediate disabling of core accounts (Okta, Active Directory) on their last day.

Allowing access to their HR/Payroll system for an additional 30 days to retrieve final pay stubs.

What is your preferred method for managing phased or delayed deprovisioning for specific applications?

you can have separate LCS like inactive and inactive30 and you can deprovision access based on these LCS

The preferred method is to create a custom workflow that triggers on the employee’s termination, disables core accounts immediately, and then uses a timer to deprovision HR/Payroll access after 30 days. This approach ensures employees can access necessary systems for a short period while maintaining security for sensitive data.

For detailed guidance, refer to SailPoint’s official documentation:

• SailPoint Identity Services - Building Workflows
• SailPoint Identity Services - Workflow Triggers