Identity no longer comes in aggregation

Hello,

I have a problem to solve, currently in the client that I work on implementing IDNow, there is a policy for an authoritative source that when the user stops coming to the aggregation he must have the identity and accounts disabled, there is no attribute that says that the contract is over it just stops coming in the aggregation.

I did a test and when the user stops coming to the aggregation, the identity is removed, but all accounts on the target systems are active.

Is there a way to disable the identity and accounts once it stops coming in the aggregation?

Thanks in advance for the help.

A few possible ways you may be able to handle this:

  • Using workflows, “Identity Deleted” trigger can get identity details and possibly disable their accounts using Manage Accounts action.

  • Use a Before Provisioning Rule to catch ProvisioningPlan.AccountRequest.Operation.Delete operation and then update plan so the LCS is updated and it disables the target accounts.

  • You can set “Disable Account Deletion” on the aggregation screen and then use some business logic(last-modified, last logon etc) to track if an identity has not been updated for X days then you move it to “Deleted” LCS or something and disable their accounts.

  • Get an extract of all IDN identities every day. Run a script that compares the users removed v/s existing and then for deleted identities, either update LCS or trigger disable action on target accounts.

3 Likes

Hi Sharvari,
Do you have any examples that apply to this type of workflow and beforeOperatin so that I can guide myself?

Thank you very much in advance for your help.

Just to add , you may also use Source Account Deleted trigger for this. “Triggers - SailPoint Identity Services

Apologize, I don’t have anything readily available for this use case. I’ll give the workflow a try in a couple of days.

1 Like

Sharvari,
Thank you very much, this helped me a lot.
I’m appreciate your help.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.