Hello,
We are currently facing some big challenges with Sailpoint creating duplicate AD accounts (on premise active directory) upon user’s termination in workday.
Here is our setup in sailpoint:
- Birthright role for all active employees. Role assignment criteria: lifecycle state equals active. This creates the active directory account
- Default Common access roles for specific departments. Role assignment criteria: Lifecycle state equals active and department = cc1100 and account attribute for active directory DN contains OU. This adds ad groups to users group membership if ad account exists
- Identity profile → provisioning -->terminated state → disable active directory account
Workday worker status gets updated at midnight user’s local time. Due to this struggle, when IT manually disables an ad account, source aggregation is run, sailpoint sees that there is no active account and recreates a duplicate account since the user is still part of the role with lifecycle state = active. This is happening for all terminations currently.Also, Workday does not provide real time updates on account status
Note: We currently do not have any provisioning rules implemented.The IT team does a few more steps such as moving the user account to disabled ou, reset the password, remove phone numbers and export list of users which isn’t possible via sailpoint out of box functionality. I understand that provisioning rules has to be bought and implemented. But ideally I would like to accomplish this without the need of complex rules.
We only bring in active accounts from active directory source. However, if we were to bring inactive accounts, what would the criteria look like? Adding account attribute = account status = false will stop future accounts from being created.
What are the solutions implemented to prevent duplicate ad accounts from being created? I would love to hear feedback.
