How to disable an account when the identity status is active but roles have been removed or the validity of a request has ended

GilbertoOledo14 · March 25, 2025, 6:48pm

Hello all!
We have the following use case: we need to deactivate an account when all its entitlements are removed, we have tried using workflows but we are not clear what the trigger should be.
Has anyone done this, how did you solve it?

Thanks in advance
Regards

vishal_kejriwal1 · March 25, 2025, 6:54pm

Check below in standard before prov rule

1 "Entitlement Cardinality Update Triggers":[
2 {
3 "Attribute":"groups",
4 "Operation":"LastRemoved",
5 "Value": null
6 }
7 ]

kdfreeman · March 25, 2025, 7:08pm

Use Provisioning Completed trigger . Triggers - SailPoint Identity Services

Filter on operation , “Remove” and source of your choice .
Fetch Identity
Run User Search API or Get Access (Entitlements) to fetch entitlement data.
Check if they have Entitlement or not, specified in Access Array on your source of concern.
If you don’t find any access item, then you can proceed with Account deactivation.

Thanks.

system · May 24, 2025, 7:08pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.