Leaver Process Deprovisioning

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi Experts,

As part of Leaver process, I’m planning to disable all user accounts by configuring the sources in LCS provisioning tab. But before disabling, all birth right roles will be deprovisioned automatically based on LCS, how can I deprovision the requested roles from request center.

2

If you have Workflows, I would recommend creating a Workflow to do this.

  1. Trigger on Identity Attribute Changed for the attribute cloudLifecycleState.
  2. Make sure new LifecycleState is the same as Leaver, you don’t want this to fire for other LifecyleStates.
  3. Use Get Access to gather all the roles for the Identity.
  4. Use a Loop and the action Manage Access to remove the roles.

I have not tested the Workflow below.

{
	"name": "Terminated User - Remove Roles",
	"definition": {
		"start": "Compare Strings",
		"steps": {
			"Compare Strings": {
				"choiceList": [
					{
						"comparator": "StringEquals",
						"nextStep": "Get Access",
						"variableA.$": "$.trigger.changes[?(@.attribute == 'cloudLifecycleState')].newValue",
						"variableB": "terminated"
					}
				],
				"defaultStep": "End Step - Success",
				"description": "Check if Terminated",
				"displayName": "",
				"type": "choice"
			},
			"End Step - Success": {
				"displayName": "",
				"type": "success"
			},
			"Get Access": {
				"actionId": "sp:access:get",
				"attributes": {
					"accessprofiles": false,
					"entitlements": false,
					"getAccessBy": "specificIdentity",
					"identityToReturn.$": "$.trigger.identity.id",
					"roles": true
				},
				"displayName": "",
				"nextStep": "Loop",
				"type": "action",
				"versionNumber": 1
			},
			"Loop": {
				"actionId": "sp:loop:iterator",
				"attributes": {
					"context.$": null,
					"input.$": "$.getAccess.accessItems",
					"start": "Manage Access",
					"steps": {
						"Manage Access": {
							"actionId": "sp:access:manage",
							"attributes": {
								"comments": "Removing access for Terminated User",
								"removeIdentity.$": "$.trigger.identity.id",
								"requestType": "REVOKE_ACCESS",
								"requestedItems.$": "$.loop.loopInput.id"
							},
							"description": "Remove Access",
							"displayName": "",
							"type": "action",
							"versionNumber": 1
						}
					}
				},
				"displayName": "",
				"nextStep": "End Step - Success",
				"type": "action",
				"versionNumber": 1
			}
		}
	},
	"trigger": {
		"type": "EVENT",
		"attributes": {
			"attributeToFilter": "cloudLifecycleState",
			"filter.$": "$.changes[?(@.attribute == \"cloudLifecycleState\")]",
			"id": "idn:identity-attributes-changed"
		}
	}
}
1 Like
3

Hi @chandramohan27 ,

Agree with @Carlatto . Workflows would be the best way to achieve this.

An alternative (if workflows are not available) is to use Before Provisioning Rule to set the entitlement attribute as empty/blank in the account Request. E.g. for ADs set the memberOf attribute value as blank in the Before provisioning Rule for Disable operation. One thing to ensure is the Role membership criteria which should be such that the roles aren’t added back on next Identity Refresh/aggregation if the identity is already in “disabled” LCS.

Thanks,
Shailee

2 Likes
4

Yeah we use Before Provisioning Rules on a few critical sources to remove all entitlements. We also look at LCS on all of our automatic Roles to make sure those are removed.

But for Requested Roles, you either have to manually revoke them, remove them during a Certification Campaign, or run a Workflow. If there is another way, I would love to hear it.

5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.