Issue with Premature AD Account Disabling for Users with Multiple Accounts

We are encountering an issue in SailPoint Identity Security Cloud (ISC) where AD accounts are being prematurely disabled when a person has multiple accounts in the same source (HRIS or non-employee source).

The business expectation is that if a user, such as John Smith, has two accounts (one active and one inactive), the identity lifecycle should remain active, and the AD account should stay active until all HRIS accounts are inactive. However, we are seeing behavior where the identity lifecycle state is dependent on the account that was originally used to create the identity. This is leading to AD accounts being disabled even though one of the HRIS accounts is still active.

We have implemented a transform that filters based on active accounts and uses that for determining the lifecycle state. While this resolves part of the issue, it has introduced another problem where we are unable to see terminated identity profiles since they are being filtered out during processing.

I would appreciate any guidance on how to ensure that:

  1. The AD account remains active until all linked HRIS accounts are inactive.
  2. We maintain visibility into terminated identities, even with the active account filtering in place.

I’m also planning to engage SailPoint Expert Services for further assistance, but any insights or recommendations from the community would be greatly appreciated.

Thanks in advance for your support!

Hi Ade,

Does the user have a single identity or multiple identities?

When possible, the simplest solution is for the user to have one identity which can have data from multiple accounts underneath of it. You will need to set the priority for the identity profiles to ensure likely that the HRIS source has priority over the non-employee source.

Then in your lifecycle state transform, you will compare the data from both sources to determine whether the identity should be active or disabled. This will allow you to keep the identity active even if the user is disabled in one of the sources.

As far as your second question, while it seems simple enough to remove non-active users from the aggregation, this doesn’t work well with ISC. You will need to have the inactive users long enough to have ISC process disabling/deleting their downstream accounts.

The user has a single identity. The challenge here is that the user has multiple (2 accounts) accounts in the same source. In ISC, there’s a single identity that has both accounts underneath it. Prioritizing the source will not work for us since the accounts are from the same source.

Hi @adebomol2024

Please refer below suggestion.
Add one identity attribute in IP and and apply transform and check cloudLifecycle in both sources whether it is active or inactive.
After that mapped that attribute in active directory using the extensionAttribute and sync that attribute in AD.
After use the AfterModify script during the disable operation check whether extensionAttribute(this attribute use a identifier that in both sources account is disable ) value then and only disable other wise enable the account using poweshell command.


Try and let me me know whether it is working for you.

You should use a before provisioning rule to check the operation type and lifecycle and then disable the AD account accordingly

@adebomol2024

Can you set the status attribute as multi-value attribute and since both account are correlated to single identity, status attribute will have both ‘active’ and ‘inactive’ value.
This status attribute could be used to determine lcs state of identity either via rule or transform.

Thanks

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.