From what I’ve seen, mostly the termination/off-boarding is done as below:
If the roles were granted via RBAC, then if that user moves out of membership criteria where LCS==Active, then all the roles/entitlements would be deprovisioned. Along with this, leverage inactive LCS and disable the target application accounts from identity profile settings.
Else, if the roles were granted via manual access request, then LCS==Inactive would disable your target accounts from the previous step, but the entitlements need to deprovisioned by using either of these below options:
-
Manually by the admins (can leverage search subscriptions to schedule search reports to be sent regularly to the admins based on activity in your system or a general policy config)
-
Using a workflow.
-
Periodic certifications