We have a user who has multiple accounts. The user is disabled in all of the source systems, but is still Enabled in the SailPoint Source.
How can we get the SailPoint source system automatically disabled when all of the other source systems are disabled?
The User’s lifecycle state is Inactive.
I don’t see anyplace to update the SailPoint source in an Identity Profile. Only manually.
Hey @chrisp ,
There is currently no out of the box method to perform this automated process.
For your information, the SailPoint account is really just a native account used by IdentityNow , essentially during the creation of the identity cube.
Although I can understand this may lead to some ambiguiuty, this account in particular if I recall is only ever displayed in this single place in the UI. However as you’ve mentioned it is in fact possible to disable the SailPoint account via the UI menu, which is essentially an IdentityNow REST API call being made to a specific endpoint.
Is there something specific here causing an issue with this account not being disabled?
Possible solutions:
The simplest solution, would be to use a scheduled search query and perform the process manually or have a simple external script which can perform this on a regular cadence.
It would however also be possible to configure an event trigger and automate this process any time there is a leaver process in IdentityNow such as listening for users via the search of :
attributes.cloudLifecycleState:inactive.
See some triggers that could be used here :
https://developer.sailpoint.com/triggers/getting_started.html
The pre-requisite for the Event Trigger Service (ETS) at this moment you would need to have a PaaS service(essentially web service such as AWS Lambda/Azure logic apps or even test this process with the open source services recommended in our guides!) to work with the event trigger which will perform the Disable API request of the SailPoint account.
However with this being said, as of the product roadmap here :
There will be Workflow Automation coming soon in the roadmap, which will likely simplify the above solution entirely and would therefore be another possible option to manage this. ( In my opinion would hopefully be a worthwhile wait where this requirement could be managed easily instead of the other options).
Kind Regards,
Omar Khote, CISSP
2 Likes
Thanks Omar for responding and your ideas.
There isn’t really an issue, except for some people seeing an Enabled account, when all of the user’s access is disabled.
We’ll look at some of the solutions you suggested, and see how practical they are.
Chris
Hi @omar_khote_iam ,
I’ve finally gotten back to this, since client wants it!
I’m able to find the accounts by doing a search using
a POST to /search?count=true&offset=1&limit=2 with the query:
@accounts(disabled:false AND locked:false) AND (NOT attributes.cloudLifecycleState:"active"
and I pass the ID for the IdentityNow Source:
“id”: “xxxx”,
“source”: {
“name”: “IdentityNow”,
“id”: “yyyyy”,
“type”: “IdentityNowConnector”
},
xxxx in this example to a POST /account/provision/xxxx
This APPEARS to work, since the SailPoint source is showing as Disabled in the UI.
BUT, it doesn’t really update the source. I get the same number of identities when I run the query, and when after a refresh, the SailPoint source goes back to Enabled.
I’m going to open a separate ticket for the API call, since @omar_khote_iam was able to get past my initial question.
Thanks,
Chris
1 Like
HI Chris,
The SailPoint account is creating based on authoritative source right, same way it has to disable based on authoritative source.
I think you are doing manually via API call, but is there any way we can automate this procees based on authoritative source.
Thanks
Navin
Hi @chrisp, did you find a solution for this, if not, what you perhaps can do, is to create a new “Web service” sources that does a callback and disables the identities based on the lifecycle state value. but if you did find a solution, then please go ahead and share 