Deprovisioning entitlements after lifecycle status change

Hi experts,

Im working with IDN and I wonder if it’s possible when a user change his cost center or department (the user will be a mover) that IDN automatically perform a deprovisioning of all the entitlements assigned to the user?

I think that maybe it will be a solution to create a new lifecycle state, Mover, and when IDN automatically set the user status to movers, run a deprovisioning of the selected application but the problem is that just deactivated option is possible.

Any ideas?

Best regards,
Beatriz.

Hi Beatriz,

You are almost in the right path,

  1. you can create a new LCS on identity profile say Mover
  2. Detect the value change in costcentre or department and set the LCS state using a transform in the identity profile mapping
  3. You can set something like disable account action on the Mover LCS state
  4. On the respective sources Before Provisioning Rule, you can capture the account request in disable state and the user LCS value as Mover and change the plan, account request to deprovision entitlements assigned on that source

This gives the outline, hope this helps.

Hi Sowmya,

Thank you for you reply!!! Very useful!

Hi @sowmya.sanagapalli ,

I’ve created a transform rule to identify when a identity have the Mover lifecycle state. I’m using the conditional transform rule type, the problem is that I’m not able to obtain the proper value. See my transform bellow:

{
  "attributes": {
    "expression": "$department eq $olddepartment",
    "positiveCondition": "true",
    "negativeCondition": "false",
    "department": {
        "attributes": {
            "sourceName": "HR Externals",
            "attributeName": "Department"
        },
        "type": "accountAttribute"
    },
    "olddepartment": {
        "attributes": {
            "name": "department"
        },
        "type": "identityAttribute"
    }
  },
  "type": "conditional",
  "id": "Test Conditional Transform"
}

Any idea? Do you see something wrong with my transform? Not sure If I can compare to values instead of one value vs a static value.

Hi @sowmya.sanagapalli,

This approach looks great, can you please suggest me how to detect changes in costcenter or department values.

Does this approach changes for connected and disconnected sources?

Best regards,
Aditya.

One easy way to accomplish the deprovisioning of access during cost centre/department changes are by using access profiles/roles. You can define the assignment for roles and when the user changes cost centre, they are deprovisioned automatically.