Hi All,
We have a use case to delete the user’s account upon user termination. These are the configurations I did to achieved this:
However, when I tested it, the account was not deleted nor disabled upon termination. Am I missing anything here? Please advice. Thank you!
Jasmine,
If you look in ISC for the account, is the status still enabled or is it disabled? Are there any errors in the events?
Alicia
Hi Alicia,
Identity is still enabled and there are no errors in the events
Hi, according to this URL, the api request for the users seems to be deprecated: GET /api/user/list
GET /api/v2/user endpoint was turned off in june 2023
Hello @jasmedina,
Hi Kiran,
The DELETE /api/v2/users/{id} still works and I was able to successfully call it in POSTMAN
Hi Braden,
Hi Kyle,
Yes it is linked to the source
I’d be cautious of using a deprecated IDN API as it could be turned off in the near future, if not already.
Have you tried to disable the account directly instead of going through the LCS?
You can do this on the accounts tab of an identity cube for an individual account. I know end use case won’t be this, but this takes factors out of the equation for troubleshooting. Manually triggering this will yield the same as if it were configured in the LCS.
Hi @jasmedina,
If the delete api call is working then is it going inside the if condition can you put loggers to see if it’s going inside the if condition ?
Thank you for this input! The account was deleted when I turned the LCS manually. 
I have added previously a new LCS in the Identity Profile:
Is it correct to assume that I have change the Identity Attribute Trigger to deleteInactive instead of inactive? I think that might be causing the issue. Or are there other configuration I need to update with the deleteInactive attribute?
You can configure any LCS to perform this action. The only requirement is that the LCS contains the “Disable Accounts” for this source.
It’s not required, but it is good practice to add NULL checks and try/catch to the before provisioning rule. Here is an example:
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.Operation;
import sailpoint.object.ProvisioningPlan.ObjectOperation;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AccountRequest.Operation;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
try {
if(null != plan && null != plan.getAccountRequests()) {
for ( AccountRequest accountRequest : plan.getAccountRequests() ) {
AccountRequest.Operation accountOperation = accountRequest.getOperation();
if (null == accountOperation) continue;
if ( accountOperation.equals( ProvisioningPlan.AccountRequest.Operation.Modify ) ) {
accountRequest.setOperation( ProvisioningPlan.AccountRequest.Operation.Delete );
}
}
}
} catch (Exception e) {
log.error("The before provisioning rule threw an exception: ");
log.error(e);
}
Got it! Looks like I have to change our cloudLifecycleState transform as well since it setting as inactive LCS instead of the delete LCS. Thanks for the help! This helped me pinpoint what needs to be updated.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.