I have a BP rule to delete accounts of an identity when the lifecycle status is changed to delete. However, the rule didn’t function as I expected. The accounts are not deleted and still remain unchanged.
Yes. We used a source to determine the lifecycle status. Here are the details of the terminate user source:
Rules:
If the separation date < current date, the lifecycle status will change to inactive
If the separation date < current date and the days between separation date and current day is more and equal than 90days, the lifecycle status will change to delete
Please try to update the BP rule as per mentioned in documentation.
Use setOp instead to setOperation to update the operation. If I remember correctly i faced this issue which was solved after making this change.
As @nikhleshsdg mentioned, either you can update to setOp instead of setOperation or it’s worth deploying “Services Standard BeforeProvisioning” cloud executed rule Services Standard BeforeProvisioning.pdf (68.4 KB)
where you can configure different operations using this rule which is developed by SailPoint.
To download the attached pdf directly from SailPoint, Navigate to IDN Mock Project> Download the IDN Mock Project Zip> Provisioning Rules>Services Standard BeforeProvisioning.pdf.
Hey, can you confirm if the LCS provisioning configuration was changed recently. I think it may not be getting triggered and that is the reason why BP rule is not working.
I have faced the same issue but we understood that the Configuration was changed from Enable Accounts to Disable in our case.
Alternatively, manually try to enable the account if it does get deleted then the Rule is working fine but the configuration was changed in the Identity Profile.
Try that option once and do letme know the results.
As per the attached photo, the event log clearly shows the BP rules were successfully triggered by the delete lifecycle state. However, Modify Account Passed doesn’t make any change to remove the account from the identity even remove the account information in corresponding sources.
Thank you for your reply. I created a test identity and ran the whole Lifecycle state again (Active → Inactive → Delete). After the test, I read the event log and noticed that Modify Account Passed had been shown in the event log which meant the BP rule had been triggered by the delete lifecycle state.
Therefore, I think there is low suspicious that the BP rules need to be modified (p.s. these BP rules have been worked before)
Could you please confirm if, after detaching the rule and changing the lifecycle state from “Inactive” to “Delete” , your account is being enabled in the “Delete” lifecycle state?
If it is, we can investigate further. Otherwise, please check the configuration in the identity profile to see if the account is being enabled during the “Delete” lifecycle state
@choichunwing0414 .
You can use it as below mentioned
if("delete".equalsIgnoreCase(cloudLifecycleState) && (adAcctRequest.getOperation()).equals(ProvisioningPlan.AccountRequest.Operation.Enable)){
//converting the accountRequest to Delete
adAcctRequest.setOperation(AccountRequest.Operation.Delete);
Thank you for your reply, I don’t think the disabled status is caused by the BP rules.
I am confident that the disabled status is determined by the identity profile.
As you can see in the picture, the accounts will be disabled due to the configuration of the identity profile but not the BP rule. I had tried to remove two sources from the source accounts to disable and the account will not change to disabled status. So I am confident that the BP rule will not affect the account status.
Hi @choichunwing0414 if (idLCS.equals(lcsdelete) && ( (op == AccountRequest.Operation.Enable) && (nativeIdentity != null) ) )
The if statement checks if the lifecycle state of the identity is “delete”, the operation is “Enable”, and there is a valid nativeIdentity . If all these conditions are met, the code inside the if block will execute.
As you see from the screenshot you have provided, the ISC will keep account in “disable” state in case of delete also.
In delete the id profile config should be enable , then only the if statement will be executed.
It works but a new problem appears after I moved to the next step. There is a limitation on adding too many sources on Source Accounts to Disable or Source Accounts to Enable. (p.s. I believe the maximum number is 100.) Since my project have over 100+ sources align with the number of the departments. Therefore, I can’t add all the sources to disable the account under the Inactive lifecycle status and return to enable lifecycle status to execute the BP rules.
Are there any possible solution to make sure every source can be added under the Source Accounts to Disable or Source Accounts to Enable.
