What is the underlying concept/evidence that is used to communicate terminated users to SailPoint and then remove from AD. (in simple if identity status is terminated how SailPoint revokes access from other sources, especially from AD). Need to know concept.
2 Likes
Hi @shaffusailpoint ,
There are different ways to handle this use case.
The best practice to handle termination use case for any of the sources like Active Directory etc. Is:
- In the event of Identity moves from Active to Inactive LCS, remove all access and disable / delete the account.
- It depends on what is your requirement may be you want to just remove all access and keep account as disabled for some 30 days and then you delete the account.
To achieve the above use cases you can make use of any of the following as per your requirement:
- You can make use of Lifecycle state configuration to make sure you disable and revoke access from Active Directory. Setting Up Lifecycle States - SailPoint Identity Services
- Before Provisioning rule can be used to delete Active Directory Account (similarly it can be used for any other sources, except delimited sources). Before Provisioning Rule | SailPoint Developer Community
- You can make use of Services Standard Before Provisioning Rule to achieve these use cases. IdentityNow Mock Project - Compass (sailpoint.com)
I would recommend you to download the Mock Project and read about “Services Standard BeforeProvisioning” PDF It will be under supporting document folder. This document has some use cases their design and implementation steps, which will help you implement these kind of requirement.
Hope this will help!
1 Like
Hey Shafuu,
As mentioned by VijayaSai, lifecycle states are used to manage leavers.
If you navigate to your Identity Profile Provisioning Tab, you can set up different states, for example terminated. You can then choose what happens when a user moves into one of these states (maintain accounts, enable accounts or disable accounts). You can then choose which accounts to enable / disable.
The example below shows a terminated lifecycle state which will disable users accounts from the Active Directory when an Identity falls into this state.
Its important to remember that you will need a way to move users into this state, either manual or automated (using a rule or transform on the cloud life cycle state attribute). I hope this helps.
Best Wishes
Ryan
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.