Delete account when LifecylcleState changes from inactive to 10days

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi All,

I have created a workflow to delete an account when LifecylcleState changes to from Inactive to 10days,

My current config is:

  1. Trigger workflow when state changes from inactive to 10days

  2. fetch identity and account details

  3. Use Manage accounts and perform DELETE action for accounts

but it is not removing the accounts, please help

2

Hi @RitikaK ,
Delete account action is only available for flat file sources.

image
image870×517 21.5 KB

Incase of connected sources , beforeProvisioning rule can be used to delete accounts.

1 Like
3

Can we use HTTP Request, with requested URL as https://tenant.api.identitynow.com/v3/accounts and Method as DELETE?

4

Hi @RitikaK ,
This endpoint only deletes the account from IdentityNow, not the source itself, which can result in the account’s returning with the next aggregation between the source and IdentityNow.

Please follow here for more details: delete-account | SailPoint Developer Community

5

Hi @RitikaK,

Delete source account is not possible for direct connected sources. You need to use a Before provisioning rule to change the provisioning plan to delete operation (if the source supports delete operation).
You can disable the accounts during lifecycle state change and then you can capture the event in the before provisioning rule and change the action to delete.

You can refer SailPoint Standard Service Rule which is of great use for AD connectors to get an insight to this.

https://community.sailpoint.com/t5/IdentityNow-Forum/IdentityNow-Mock-Project-Services-Standard-BeforeProvisioning/td-p/216158

Thanks

2 Likes
6

thank you, I will try that

7

Hi! Remember that ISC does not deletes accounts from sources (and is discouraged). Problem is that even if you get to delete some account, it will appear again on identity after aggregation.

Some workaround could be that after these 10 days, you change some identity attribute (perhaps with a transform), and that triggers some provisioning of that attribute to endpoint account. Finally (not available to all connectors), you can filter aggregated accounts only to read accounts not having this flag.

As an example, talking about AD, you can have a transform that after 10 days changes the DN. This will cause AD account to move to some X OU, which is not under connector base DN. This will cause aggregation will not bring this account next time, and will dissapear from your identity accounts.

I think you have to analyze each source, because connectors have different capabilities.

9

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.