Delete Uncorrelated accounts for AD Source

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi ,

Can some body help to delete uncorrelated AD accounts using IDN workflow.

2

Even if you delete, you get the same accounts once you run the Aggregation Task.

If you don’t have those uncorrelated accounts at AD end, do not enable Disable Account Deletion option, set 100% so that there will be no warnings.

Not sure why you are considering Workflows for this requirement.

Thanks
Krish

2 Likes
3

@poison001,

You might also just be struggling with how to manage uncorrelated accounts. Take a look at this document:

Best Practices: Managing Service Accounts in IdentityNow - Compass (sailpoint.com)

I’m sure there is something better in the Developer Community, I’m just sometimes more old school and know where things are quicker in the older Community :slight_smile: .

We follow Option 3, but happy to talk more about any of them if you want to spitball ideas.

Thanks!

1 Like
4

I have recently made changes to the configuration of My Authoritative application. Previously, there were 75k users in the HR Source, but now there are only 45k users. As a result, there is a significant amount of garbage and uncorrelated data in the Active Directory (AD). Instead of directly deleting the data from AD, I would like to explore the possibility of using a workflow to manage it.

5

You can configure the Delete Operation via ProvisioningPolicy and invoke the same via Manage Access operation in Workflows.

6

I understand that,

Correct approach:
You should have disabled account deletion in HR Source aggregation, calculate LCS, based on it, disable accounts in all the target applications not just AD.

Anyway, Identities are already deleted. It is never recommended to build something temporary at IDM. Better to inform AD team to do the cleanup.

You cannot delete account using Workflow, currently it is supported only for Delimited file source.

image
image776×635 25.6 KB

What I would do If I were in your situation ?

  • I will download CSV file of uncorrelated accounts
  • I will cross check if I need to delete all those accounts
  • I will setup a meeting with AD team, I will propose the below 2 options
  1. I do have service accounts to manage accounts in AD in IDN, I use the same account to delete AD accounts using PowerShell script.
  2. I will provide the list of uncorrelated accounts to AD team, let them do a cleanup.

In my earlier projects, AD team scheduled a script which deletes AD accounts whose last working date was 30 days ago, as IDN doesn’t have capability to delete account at the moment.

For future, you can use the AD description attribute, update it to delete based on LCS if it needs to be deleted, using Before Provisioning Rule (Cloud Rule), change the account request operation to Delete from Modify.

Thanks
Krish

7

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.