Hey @chrisp ,
There is currently no out of the box method to perform this automated process.
For your information, the SailPoint account is really just a native account used by IdentityNow , essentially during the creation of the identity cube.
Although I can understand this may lead to some ambiguiuty, this account in particular if I recall is only ever displayed in this single place in the UI. However as you’ve mentioned it is in fact possible to disable the SailPoint account via the UI menu, which is essentially an IdentityNow REST API call being made to a specific endpoint.
Is there something specific here causing an issue with this account not being disabled?
Possible solutions:
The simplest solution, would be to use a scheduled search query and perform the process manually or have a simple external script which can perform this on a regular cadence.
It would however also be possible to configure an event trigger and automate this process any time there is a leaver process in IdentityNow such as listening for users via the search of :
attributes.cloudLifecycleState:inactive.
See some triggers that could be used here :
https://developer.sailpoint.com/triggers/getting_started.html
The pre-requisite for the Event Trigger Service (ETS) at this moment you would need to have a PaaS service(essentially web service such as AWS Lambda/Azure logic apps or even test this process with the open source services recommended in our guides!) to work with the event trigger which will perform the Disable API request of the SailPoint account.
However with this being said, as of the product roadmap here :
There will be Workflow Automation coming soon in the roadmap, which will likely simplify the above solution entirely and would therefore be another possible option to manage this. ( In my opinion would hopefully be a worthwhile wait where this requirement could be managed easily instead of the other options).
Kind Regards,
Omar Khote, CISSP