Default behavior to delete identity when source account is no longer in scope

ts_fpatterson · December 1, 2023, 9:45pm

This seems to be a reoccurring topic. The only documented solution I have found has been within the dev community.

A new environment implementing IDN may have had thousands of previously accounts. Over time we don’t want to aggregate all of those previous accounts. A university for example could have over 100k easy. We may want to onboard them initially and then change our scope to maybe only retain terminated accounts for 90 days. But once you scope it down on the aggregation, they are deleted from IDN.

My question is, why isn’t this a parameter / attribute that is already on all of the connectors by default and in the UI? Most customer’s I’m working with want to maintain a unique email address, login ID, etc. If a source system was to maintain this data with a write back, we would have to scope all data to aggregate the entire data set to make sure we did not already issue a given email or login ID.

Just wondering if it make sense by others to request this on all connectors by default and to be configured through the UI or not?

There is a work around as seen below, to update a source system.

[
    {
        "op": "add",
        "path": "/connectorAttributes/checkDeletedDisabled",
        "value": "true"
    }
]

MVKR7T · December 2, 2023, 9:36am

You can filter the accounts while aggregating using filterString. If it is not aggregated then Identity gets deleted.

IdentityNow Account Filtering during Account Aggregation - Compass (sailpoint.com)

ts_fpatterson · December 4, 2023, 11:58am

Correct, which is why I’m posting this.

My preference is to have an Identity Vault where all Identities live. With multiple Identity Source systems, where does SailPoint recommend the storage of all identities past and present? If this is not best practice, what is the recommendation on storing all identiteis and ensuring unique values for emails and login ID values so that nobody ever is issued the same one?

MVKR7T · December 4, 2023, 1:16pm

Check this post.

Historical usernames when provisioning - IdentityNow (IDN) / IDN Discussion and Questions - SailPoint Developer Community Forum

system · February 2, 2024, 1:16pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Disable account deletion in source ISC Discussion and Questions sources	2	556	July 19, 2023
Bulk delete identities without checking the "Disable Account Deletion" ISC Discussion and Questions apis , identity-security-cloud	1	566	July 19, 2023
Workday switching from external to internal creates new identity ISC Discussion and Questions identity-security-cloud	3	1135	July 19, 2023
Source option for Disabling the account Deletion - how to detect such disconnected identities via API or Rule/Transform/WF? ISC Discussion and Questions apis , aggregation , identity-security-cloud , provisioning , sources	4	738	July 19, 2023
Native sailpoint account question ISC Discussion and Questions aggregation , identity-security-cloud	5	247	February 4, 2024

Default behavior to delete identity when source account is no longer in scope

Related Topics