Use Case:
We have set up a source to manage User Levels and Governance Groups of identities in ISC using the ISC Governance connector. On user termination we are triggering disablement of user’s ISC accounts and we have a Before Provisioning rule in place which would add an attribute req to remove existing Governance Groups and userLevels from the identity when “Disable” operation is passed and the LCS is “inactive”.
Issue:
Governance groups are not getting removed during termination, even though we see a successful removal request shown in the account activity. Governance group removal is working fine in certification - access revocation case.
Requesting assistance from anyone to help with the Disable case.
The Governance Group may be marked as “inUse”:
If a Governance Group has one or more connections associated with it, it will be marked as “inUse” and cannot be deleted. This could prevent the group from being removed during termination.
Ensure that the termination process is not attempting to remove more than 100 Governance Groups at once else you will see error.
It’s possible that governance group removal is only honored on MODIFY or ACCESS operations, not DISABLE. Some connectors treat DISABLE as strictly an account status change, ignoring access-level changes.
Workaround:
In the Before Provisioning rule, split the request into:
One DISABLE operation for the account.
Another MODIFY or ACCESS REMOVE operation for governance groups and user levels.
This could be simulated in the rule by submitting a separate provisioning request via context.getProvisioningPlan() or Provisioner.run().