Identity Deleted Event Trigger

justinrhaines · April 19, 2021, 6:12pm

We have tried using the Identity Deleted event trigger with multiple implementations using web hooks but are not able to get an event sent out when deleting an Identity in our source system. Testing does work successfully, but is there a certain operation that needs to be performed in order to trigger this event?

colin_mckibben · April 19, 2021, 6:58pm

Hi @justinrhaines,

Identity Deleted is triggered after an account is removed from an authoritative source and account aggregation has completed. The flow is detailed in the image in our docs: https://developer.sailpoint.com/triggers/available-event-triggers/Identity_Deleted.html.

I implemented our event triggers when I created the Workato connector for our platform. You can view the Ruby code to see how I implemented it.

You said you were able to send a test event to your web hook handler, so I’m guessing the issue you are facing has to do with how you are trying to trigger the event and not your implementation. Please try the following steps to trigger Identity Deleted:

Navigate to your sources page: https://{your_tenant}.identitynow.com/ui/admin#admin:connections:sources
Select an authoritative source. In my case, I have a source called “Employees” that is a flat file.
Go to the “accounts” tab and download the CSV file for your accounts.
Delete one of the accounts from the CSV file and save.
Go to the “Import Data” tab and upload your modified CSV file. Account aggregation should happen automatically for flat file sources.
Once account aggregation is complete, the Identity Deleted trigger should fire off an event with the details of the account you removed from the CSV.

Alternatively, you can also remove the identity from the identity list to trigger Identity Deleted:

matt_totty · April 19, 2021, 7:18pm

This is curious- we have tried deleting several users of which only some are showing up in the activity log. This is also in a flat-file as you suggested following the same steps. The experience has not been consistent at all. Are there other conditions that have to be met other than simply deleting an identity?

colin_mckibben · April 19, 2021, 8:01pm

From what I have observed in my own test tenant, you should only need to perform the steps I outlined to trigger the Identity Deleted event. This has worked for me 100% of the time. If you are experiencing inconsistencies, then I recommend opening a support case so our staff can see what is going on inside your tenant.

justinrhaines · April 26, 2021, 3:56pm

Thanks for the prompt response - we will continue to monitor for these events.

neil_mcglennon · April 27, 2021, 11:14am

You should be able to use other aggregations besides flat file - the source type doesn’t matter. The trigger is on the identity removal.

If you are seeing this not fire, and can reproduce it, that sounds very bug-like to me. Lets understand it, so we can improve this one. One interesting theory I have would be to note the behavior with and without accounts correlated.

matt_totty · May 4, 2021, 4:38pm

Hi Neil. Identity Deleted is not firing as I would expect. I was able to get back to some testing again today. I set up three subscriptions to webhooks to see what was going on. I subscribed to provisioning completed, identity deleted, and identity changes. The only event that fired at all when I deleted the identity from the auth source was provisioning completed. On that event, it just shows basic removal of a birthright entitlement. I would have expected to have seen two events fire in this case. But not having Identity Deleted sent is killing my use case. Is there anyone you know of who can look at this with me and not charge for it? Or am I totally misunderstanding how events work?

neil_mcglennon · May 4, 2021, 7:48pm

Hi Matt,
Provisioning completed fires when provisioning is completed - successful or not. This only happens when and if there is a provisioning. Could be a result of identity changes, role assignments, accesses, or any other process which triggers provisioning. Sounds like that is working.

Each identity can either be created, modified, or deleted, and we have event triggers on all these events. An identity can’t fire more than one at once - i.e. you’re not going to get a specific identity updated and deleted within the same transaction. Hope that makes sense.

As I said earlier, if you delete an identity and there is no identity-delete event triggering, then that sounds like a bug. If you remove something and the identity goes away and is deleted, then it should fire the identity-deleted event, if you’ve subscribed to it. Sounds like you can reproduce the problem, so that should be opened with SailPoint Support. They won’t charge for it, as you are just reporting a bug. Feel free to reference me and our conversation here if you need to!

As always, happy to help!

matt_totty · July 12, 2021, 2:55pm

Hi @neil.mcglennon , I did open a support case as you directed. They gave me an internal ticket number IDNARSENAL-9782. Do we know if the issue has been resolved?

Topic		Replies	Views
Default behavior to delete identity when source account is no longer in scope ISC Discussion and Questions aggregation , identity-security-cloud	4	291	February 2, 2024
Source option for Disabling the account Deletion - how to detect such disconnected identities via API or Rule/Transform/WF? ISC Discussion and Questions apis , aggregation , identity-security-cloud , provisioning , sources	4	717	July 19, 2023
Available Event Trigger Webpage Missing Content Bugs workflows , identity-security-cloud , event-triggers , fixed	4	323	January 5, 2024
Manage Account - Delete Operation ISC Discussion and Questions workflows	5	1766	July 19, 2023
Disable account deletion in source ISC Discussion and Questions sources	2	528	July 19, 2023

Identity Deleted Event Trigger

Related Topics