Disable Identities with enable accounts

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi Sailors,

We have a requirement to disable all target application accounts that are still enabled for identities whose lifecycle state is disabled/inactive.

What we have tried: We created a workflow to identify disabled identities and disable their associated application accounts. However, due to workflow loop limitations, we can process only around 250 records in parallel mode or 1,000 records in serial mode (As per documentation), while we need to process approximately 3,000 identities.

Has anyone implemented a similar solution or found an alternative approach to handle this at scale? Any suggestions would be greatly appreciated.

Thanks in advance.

2

Hi @suraj_gorle ,

Refer this blog, it will help you: Recursive Workflows in IdentityNow - Content / Community Blog - SailPoint Developer Community

3

try developing script that does this task

4

Is this an onetime requirement or something to be scheduled as a maintenance operation?

5

Hi @iamnithesh ,
This is one time requirement.

6

Hi @Bapu-Gogu , Let me try this

7

Hi @suraj_gorle

Interesting use case!

You can accomplish this relatively easily using a workflow. Here is a high level approach and pseudocode of what I’m thinking:

  1. Trigger: Schedule Trigger or External Trigger (depending on how you want to kick off the process).

  2. HTTP Request (Search API): Use the Search API endpoint to fetch the targeted identities. Your search query would look something like this: attributes.identityState:"INACTIVE_LONG_TERM" AND @accounts(disabled:false)

  3. Loop: Use a Serial Loop to iterate through the identities and execute an HTTP Request action to disable the source accounts.

  4. Concurrency/Throttling: Complete the workflow and let the next scheduled interval pick up the next batch, or chain the trigger again if using an external API call to handle higher volumes.

Let me know if you have any questions or concerns on the approach!

8

My post above might be too much effort then. I would probably do this via a powershell script if it’s just a 1 time cleanup rather than trying to automate the cleanup process going forward.

9

Hi @trettkowski ,
Thanks for suggestion. I have already implemented same approach. Looks like there is no other way than this​:joy:. Below is my workflow for reference.

DisableAccountsforInactiveIdentities20260616
DisableAccountsforInactiveIdentities20260616625×1368 35.5 KB

10

I think there are more complicated solutions that will work, but this seems like the simplest :slight_smile:

It will take a few runs to get all the identities finally cleared out, but once you are in a good state, this could run daily and clean up the leftover couple users easily.

Only thing I might suggest is using just 1 serial loop to get through the 1k identites, do your get account inside the loop, then disable inside the loop. You should be able to process more identities than you are currently doing per workflow run. This is just a knit pick since it will eventually get all the accounts anyways.

11

Hi @suraj_gorle,

If this is a one time requirement, you can utilize a powershell script and achieve your usecase.