can we disable the associated account when we revoke the role
Is this in regards to a specific Role?
Can you give an example of the configuration of the role?
Usually, you would disable an account based on the lifecycle states.
Iām assuming you could build a workflow to handle this, if you are licensed for workflows.
Hi @ts_fpatterson
Thanks for the response. We have a role which is requestable, and any user can request for it and they will be provisioned to AD source with certain entitlements once the role request gets approved .
Now, mistakenly few users got access to the roles and we are trying to revoke the role manually and at the same time it should disable the AD accounts.
we are looking for a solution on the above lines.
Any help in this regard is much helpful for us.
Thanks
Narendra
Hi Narendra,
If you did trigger to disable the account, would you also want your lifecycle state to be updated to reflect that it is a disabled account? Often times you would want all disabled accounts to be classified in given lifecycle states. For best practice, if the account should be disabled, a lifecycle state should detect this for these users, and then the role would be modified to have a condition to only evaluate for the given lifecycle states.
Hi @ts_fpatterson
To your question, No, we are not changing the lifecycle state.
You can do this in the BeforeProv rule.
Get all the entitlements the user has from the specific source (AD in your case) as a List, and, from this list, remove the entitlements being removed by the ProvPlan. After all entitlements are removed, if the original List is empty, then change AccountRequest.Operation to Disable
2 Likes
Thanks for the help @iamnithesh . we have achieved this use case by using a powershell script
3 Likes
@bkumar592 Would you mind sharing that PowerShell script here so others can learn from it? It would be a great help to the community.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.