Default behavior to delete identity when source account is no longer in scope

ts_fpatterson · December 1, 2023, 9:45pm

This seems to be a reoccurring topic. The only documented solution I have found has been within the dev community.

A new environment implementing IDN may have had thousands of previously accounts. Over time we don’t want to aggregate all of those previous accounts. A university for example could have over 100k easy. We may want to onboard them initially and then change our scope to maybe only retain terminated accounts for 90 days. But once you scope it down on the aggregation, they are deleted from IDN.

My question is, why isn’t this a parameter / attribute that is already on all of the connectors by default and in the UI? Most customer’s I’m working with want to maintain a unique email address, login ID, etc. If a source system was to maintain this data with a write back, we would have to scope all data to aggregate the entire data set to make sure we did not already issue a given email or login ID.

Just wondering if it make sense by others to request this on all connectors by default and to be configured through the UI or not?

There is a work around as seen below, to update a source system.

[
    {
        "op": "add",
        "path": "/connectorAttributes/checkDeletedDisabled",
        "value": "true"
    }
]

MVKR7T · December 2, 2023, 9:36am

You can filter the accounts while aggregating using filterString. If it is not aggregated then Identity gets deleted.

IdentityNow Account Filtering during Account Aggregation - Compass (sailpoint.com)

ts_fpatterson · December 4, 2023, 11:58am

Correct, which is why I’m posting this.

My preference is to have an Identity Vault where all Identities live. With multiple Identity Source systems, where does SailPoint recommend the storage of all identities past and present? If this is not best practice, what is the recommendation on storing all identiteis and ensuring unique values for emails and login ID values so that nobody ever is issued the same one?

MVKR7T · December 4, 2023, 1:16pm

Check this post.

Historical usernames when provisioning - IdentityNow (IDN) / IDN Discussion and Questions - SailPoint Developer Community Forum

system · February 2, 2024, 1:16pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
IDN mantains identities after deleting? ISC Discussion and Questions aggregation , identity-security-cloud	2	247	August 2, 2023
IDN delete accounts on connected systems? ISC Discussion and Questions identity-security-cloud , provisioning , connectors	2	131	August 18, 2024
Identity no longer comes in aggregation ISC Discussion and Questions aggregation , identity-security-cloud , provisioning	5	561	July 21, 2023
Delete Garbage Identity from SailPoint IIQ Discussion and Questions identityiq , identities	18	213	October 6, 2024
Endpoint for 'remove account' ISC Discussion and Questions	7	1142	July 19, 2023

Default behavior to delete identity when source account is no longer in scope

Related topics