We are working on refining our Leaver (offboarding) processes in IdentityNow, and I’m looking for insights on how others are handling a common scenario: delayed entitlement removal.
For example, when an employee is terminated, our policy requires:
Immediate disabling of core accounts (Okta, Active Directory) on their last day.
Allowing access to their HR/Payroll system for an additional 30 days to retrieve final pay stubs.
What is your preferred method for managing phased or delayed deprovisioning for specific applications?
The preferred method is to create a custom workflow that triggers on the employee’s termination, disables core accounts immediately, and then uses a timer to deprovision HR/Payroll access after 30 days. This approach ensures employees can access necessary systems for a short period while maintaining security for sensitive data.
For detailed guidance, refer to SailPoint’s official documentation: