I have a problem to solve, currently in the client that I work on implementing IDNow, there is a policy for an authoritative source that when the user stops coming to the aggregation he must have the identity and accounts disabled, there is no attribute that says that the contract is over it just stops coming in the aggregation.
I did a test and when the user stops coming to the aggregation, the identity is removed, but all accounts on the target systems are active.
Is there a way to disable the identity and accounts once it stops coming in the aggregation?
A few possible ways you may be able to handle this:
Using workflows, “Identity Deleted” trigger can get identity details and possibly disable their accounts using Manage Accounts action.
Use a Before Provisioning Rule to catch ProvisioningPlan.AccountRequest.Operation.Delete operation and then update plan so the LCS is updated and it disables the target accounts.
You can set “Disable Account Deletion” on the aggregation screen and then use some business logic(last-modified, last logon etc) to track if an identity has not been updated for X days then you move it to “Deleted” LCS or something and disable their accounts.
Get an extract of all IDN identities every day. Run a script that compares the users removed v/s existing and then for deleted identities, either update LCS or trigger disable action on target accounts.