Hi All, For some reporting purpose Active Directory team added entitlements directly in AD without notifying US and those need to stay even though they terminated, When they noticed that SailPoint is removing they reached US and told that they added entitlements directly and we told that we have remove all access that will remove when lifecycle state change to inactive and for temporary we disabled remove all access.
Then created Access profiles for each entitlements and added those Access Profiles to under Identity profile inactive state Access profiles tab, but now majority of all terminated users where provisioned to those groups, but what ever the Active Directory team added entitlements they should not be any change. This groups are temporary and once they complete these groups will be deleted completely. Is there any option not to make any changes to provision new users or remove users from the groups with out disabling remove all access.
Currently we have couple AD entitlements, each entitlement provisioned to 20K terminated team members.
Any suggestions on how can we solve this scenario.
Have you looked at adding an additional lifecycle state? You can create another inactive lifecycle state (call it deprovisioned or something). Keep the access profile on the inactive lifecycle state. On the deprovisioned lifecycle state, remove all remaining AD access except domain users.
You’ll need to revise your lifecycle state transform so that users move to deprovisioned after some time, but this should meet your use case.
There is no specific criteria to create roles for these entitlements, these groups are created in AD for temporarily for some reporting purpose and to identify these users added to those groups directly in Active Directory. Until then we cannot make any changes to those groups like add or remove from the groups even though they terminated. When remove all access is enabled for inactive users stated these groups are removing from AD when they terminated.
Looking to see temporary solution not to remove when they terminated even though remove all access is enabled.