Disable account when access is removed

jrossicare · August 15, 2025, 12:06am

We have a few sources where we would like to disable the account when access is removed.

I cant think of a way to implement this OOTB, like in role criteria or workflow.

We would want to implement this for SailPoint provided connectors such as SalesForce or AWS etc. as well as Web Service sources, ideally with a solution that is general and applicable with all/most sources.

(eg Web Service Before Operation could achieve it, but that would only be for Web Service sources)

At the moment, when user loses all roles for a given application/source, the account still remains active, just without the entitlements.

Scenario we would like to implement.

(Steps 1-4 are all OK, missing piece is step 5)

User requests role for Application.
IDN provisions account/updates source account with requested entitlement(s)
Role is revoked
IDN updates account to remove entitlement(s)
If identity has no more roles that give access to Application, then account should be disabled

Is this common at other organisations?

Thank you

vishal_kejriwal1 · August 15, 2025, 2:47am

It is not possible to remove all the entitlement from salesforce account.

iamology · August 15, 2025, 1:32pm

How about a workflow that triggers on Provisioning Completed, and, after checking the type of Provisioning process , for each of the account requests in the trigger input:

using Search API check if the identity is left with any entitlement in the specific Source, with a query that would look something like:

`id:{{recipient.id from trigger}} AND @access(type:ENTITLEMENT AND source.name:{{from trigger account requests}})`

and if no entitlements are left (result body is empty) then Disable account in that source

PhilRawlings1 · August 15, 2025, 3:23pm

Any particular reason that you want to disable access when there are no underlying entitlements?

Also, if you did disable the account, you would have to have another program to re-enable it once it got provisioned with a new entitlement.
Sounds like a lot of work for what is really just a cosmetic feature

jrossicare · August 17, 2025, 11:26pm

Hi Phil,

Some applications base licensing on number of active accounts
Business is concerned that users could still log in to backend application, when they shouldn’t be able to anymore. Even if their roles are removed, there still might be actions they could take or data they can view.

jrossicare · August 17, 2025, 11:27pm

Thanks @iamology that sounds like the way to go.

system · October 16, 2025, 11:28pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Best way to disable an account once roles are removed ISC Discussion and Questions workflows , identity-security-cloud , provisioning , roles , access-requests , connectors	4	56	October 4, 2025
Removing all Access at once for a specific application ISC Discussion and Questions identity-security-cloud , provisioning , roles , access-requests , entitlements	13	1130	August 22, 2023
How to disable an account when the identity status is active but roles have been removed by rule or the validity of a request has ended ISC Discussion and Questions workflows , identity-security-cloud , connectors , entitlements	4	68	May 25, 2025
How to remove entitlements granted via request on IDN ISC Discussion and Questions identity-security-cloud , access-requests , entitlements	16	1584	March 19, 2024
How to disable an account when the identity status is active but roles have been removed or the validity of a request has ended ISC Discussion and Questions workflows , identity-security-cloud , connectors , entitlements	3	74	May 24, 2025

Disable account when access is removed

Related topics