We have a requirement to delete the account of users with no login date except for service accounts. This is only applicable to one application but might need to add other applications in the future so the scalability of the configuration is important.
Question is, what would be the best approach for this? Should we do this via workflow or some before provisioning cloud rule? If via workflow, what would be the trigger for this?
Appreciate if you could share your input especially to those who has similar use case. Thank you so much!
Hi Jasmine! Beyond the particular condition of the empty login date, take into account that ISC connectors does not delete accounts on connected systems. More over, this action is not recommended (as there is all integrated, some mistake on authoritative data can lead into a massive deletions).
Told that, you should think to divide into what triggers the deletion, and the deletion operation itself. The delete operation per se has to be performed with the connector techonollogy (for example, with a powershell rule if it is an AD connector, a JDBC provisinoing rule with some delete sql statement, if it is a database application, and so on -some connectors may have no way to send a delete, so perhaps you can send some attribute, combined with a native script that performs the deletion).
For the desicion artifact which look up some attribute and triggers, you can achieve it with a before operation or some workflow. I should choose workflow, so I can bypass the Sailpoint deployment process, which adds more uncertainty to your effort.
Remember that accounts can not be touch outside target source. But you can have a “fake” delimited text source (which it yes can be updated with API). I think in the schema of this source having attributes like “hasToDeleteAD”, “hasToDeleteWS1”, etc. So in workflow, you should read the attribute that marks the condition to delete some application, and then you can use the http Request action to call ISC API, and update the appropiate “hasApplicationX” attribute to true. Then, with rules or external scripts, you can delete account on target.
PS: I have been part of some disaster scenarios with other tools, and agree with Sailpoint in recommend clients to not use ISC to delete accounts.