Default behavior to delete identity when source account is no longer in scope

This seems to be a reoccurring topic. The only documented solution I have found has been within the dev community.

A new environment implementing IDN may have had thousands of previously accounts. Over time we don’t want to aggregate all of those previous accounts. A university for example could have over 100k easy. We may want to onboard them initially and then change our scope to maybe only retain terminated accounts for 90 days. But once you scope it down on the aggregation, they are deleted from IDN.

My question is, why isn’t this a parameter / attribute that is already on all of the connectors by default and in the UI? Most customer’s I’m working with want to maintain a unique email address, login ID, etc. If a source system was to maintain this data with a write back, we would have to scope all data to aggregate the entire data set to make sure we did not already issue a given email or login ID.

Just wondering if it make sense by others to request this on all connectors by default and to be configured through the UI or not?

There is a work around as seen below, to update a source system.

        "op": "add",
        "path": "/connectorAttributes/checkDeletedDisabled",
        "value": "true"

You can filter the accounts while aggregating using filterString. If it is not aggregated then Identity gets deleted.

IdentityNow Account Filtering during Account Aggregation - Compass (

Correct, which is why I’m posting this.

My preference is to have an Identity Vault where all Identities live. With multiple Identity Source systems, where does SailPoint recommend the storage of all identities past and present? If this is not best practice, what is the recommendation on storing all identiteis and ensuring unique values for emails and login ID values so that nobody ever is issued the same one?

Check this post.

Historical usernames when provisioning - IdentityNow (IDN) / IDN Discussion and Questions - SailPoint Developer Community Forum

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.