Deletion of AD accounts from users

Which IIQ version are you inquiring about?

8.4 P2

Share all details about your problem, including any error messages you may have received.

Hi All,

We have a requirement to delete AD account of the users if they are disabled 40 days ago. I understand we can send “Delete” operation in the provisioning plan and achieve this. Should we explicitly add plan to remove all the entitlements from the account? or the “Delete” operation will handle the removal of entitlement by itself?

Kindly provide insights if anybody implemented this already or any other suitable way?

Thanks

Divya M

Hi @DivyaSubha, Deletion of account (delete operation) should do the job.

Hi @DivyaSubha

As @pallavi mentioned,
You don’t need to explicitly remove entitlements.When you send a Delete operation for the AD account, it will automatically remove the account along with all associated entitlements.

How are you disabling AD accounts? Is it through Rapid Setup, a Before Provisioning rule, or a custom rule?

Hi @DivyaSubha - the Delete is a one stop shop for removing everything. Are you removing entitlements as part of your initial disable?

Hi @DivyaSubha You don’t need to remove the groups explicitly when you delete the entire user object from AD.

Thanks,

PVR.

@DivyaSubha From AD perspective, delete will take care of clearing out all relationships. But in IIQ over time, you may see orphan/stale assignments in identity entitlements and roles on the users. This may lead to auto creation of the accounts during identity refresh (due to attributeassignments or role assignment metadata). So, as a best practice, you should clear out all assignments first and then delete the account.