ImmediateTerminationWorkflow2400×1350 151 KB

	Description	A workflow that facilitates secure initiation of urgent identity termination requests by authorized users or designated teams without granting administrative privileges, in alignment with organizational access governance and least-privilege principles.
	Legal Agreement	By using this CoLab item, you are agreeing to SailPoint’s Terms of Service for our developer community and open-source CoLab.
	Repository Link	Immediate Termination Workflow
	New to Workflows in the CoLab?	Read the getting started guide for Workflows in the CoLab.
	Supported by	Community Developed

Overview

This workflow is designed to support urgent or out-of-band workforce separation scenarios by enabling controlled lifecycle state transitions through a business-friendly Launchpad interface within SailPoint Identity Security Cloud.

As lifecycle state changes typically require administrative privileges, this workflow eliminates the need to grant elevated access to operational teams by leveraging an administrator or break-glass Personal Access Token (PAT) to securely perform backend actions.

Through a guided two-step form-based interaction, the workflow captures and validates identity details, evaluates the current lifecycle state (e.g., Active or Prehire), ensures the identity does not originate from a Non-Person authoritative source, and initiates the appropriate transition (e.g., Terminated or Rescinded). This solution improves operational efficiency, enforces governance controls, and minimizes risk by ensuring termination activities are executed consistently and in alignment with business policies without compromising administrative security boundaries.

Requirements

Active SailPoint ISC tenant with Workflow and Launchpad enabled, and a Secure Administrative or Break-Glass Account PAT for backend executions.

Guide

To upload these templates into your Workflows environment, follow these steps.

1. Download the Form and Workflow templates from the repository link above.

2. Import the Form template (Update the template as per requirements)
   a. Using VS Code, navigate to the forms section in your tenant directory. Right-click on the ‘forms’ section, and “import” the Form template you downloaded from the git hub link above.
   b. Alternatively, import the form using this endpoint, Import form definitions from export.

3. Import the Workflow template:
   a. Update the template to align the workflow with your organizational requirements:

• Update lifecycle state values within the Compare String operator (Check if user is already in any inactive lifecycle state, Check if user is in active lifecycle state, Check if user is in prehire lifecycle state).
• Update Tenant Name, Client ID, Client Secret, and Lifecycle State IDs in the HTTP Request actions (Change user’s lifecycle state to terminated, Change user’s lifecycle state to rescinded).
• Modify recipient email addresses and notification content in (Send success email, Send failure email).
• Update the Authoritative Source ID in (Check if user belongs to Non Person Auth Source). Optional step for excluding non-person identities from termination processing.
• Update form inputs as per the updated form template within the interactive form action (Display user details Form)

b. Create a new workflow in the Workflow dashboard and select the “Start with a JSON File” option. You will be prompted to select a file from your computer. Select the template and click “Continue to Builder”.

For further assistance or implementation support, please reach out via the SailPoint Community (@UjjwalJain).

Hey @UjjwalJain ,

How would you suggest to manage access to the form, if we want to limit the access?

Kind regards,

Aayush

Hi @AsGoyal

We are using Launchpad, which is associated with an entitlement.

Only users who have been assigned this entitlement will be able to access the Launchpad and trigger this workflow.

I hope this answers your question.

Hi @UjjwalJain ,

Thank you so much for the clarification.

Hi @UjjwalJain

can’t we achieve this from the Leaver operations on the basis of LCS - Immediate Termination. what are the benefits if using workflow or this is only for the users who are already in terminated LCS?

This workflow is designed for scenarios where emergency termination is required and can’t wait for updated status or details from HR system.

Hi @UjjwalJain ,

Thank you for this wonderful solution, I am now able to implement a similar one in my tenant.

Just two questions/suggestions here:-

1. Why are we having two forms here, where deactivation can happen with one form only?

2. Why are you checking if user is in a prehire state, like want to know the idea/thought process behind it?

Kind regards,

Aayush

Hi @AsGoyal,

Glad that you liked it.

To answer your questions:

1. I used the second form to allow the user to verify the details of the user they are about to terminate, in case they selected the wrong user in the first form. It is completely optional to use the second form.
2. I was checking for both Active and Prehire lifecycle states, as we have separate terminated lifecycle states for users being terminated from Prehire (moves to Rescinded) and Active (moves to Terminated) lifecycle states. It depends on your requirements and design.