How to disable an account when the identity status is active but roles have been removed or the validity of a request has ended

Identity Security Cloud (ISC) ISC Discussion and Questions
, , ,
1

Hello all!
We have the following use case: we need to deactivate an account when all its entitlements are removed, we have tried using workflows but we are not clear what the trigger should be.
Has anyone done this, how did you solve it?

Thanks in advance
Regards

2

Check below in standard before prov rule

1 "Entitlement Cardinality Update Triggers":[
2 {
3 "Attribute":"groups",
4 "Operation":"LastRemoved",
5 "Value": null
6 }
7 ]
2 Likes
3

Use Provisioning Completed trigger . Triggers - SailPoint Identity Services

  • Filter on operation , “Remove” and source of your choice .
  • Fetch Identity
  • Run User Search API or Get Access (Entitlements) to fetch entitlement data.
  • Check if they have Entitlement or not, specified in Access Array on your source of concern.
  • If you don’t find any access item, then you can proceed with Account deactivation.

Thanks.

1 Like