If you have Workflows, I would recommend creating a Workflow to do this.
- Trigger on Identity Attribute Changed for the attribute cloudLifecycleState.
- Make sure new LifecycleState is the same as Leaver, you don’t want this to fire for other LifecyleStates.
- Use Get Access to gather all the roles for the Identity.
- Use a Loop and the action Manage Access to remove the roles.
I have not tested the Workflow below.
{
"name": "Terminated User - Remove Roles",
"definition": {
"start": "Compare Strings",
"steps": {
"Compare Strings": {
"choiceList": [
{
"comparator": "StringEquals",
"nextStep": "Get Access",
"variableA.$": "$.trigger.changes[?(@.attribute == 'cloudLifecycleState')].newValue",
"variableB": "terminated"
}
],
"defaultStep": "End Step - Success",
"description": "Check if Terminated",
"displayName": "",
"type": "choice"
},
"End Step - Success": {
"displayName": "",
"type": "success"
},
"Get Access": {
"actionId": "sp:access:get",
"attributes": {
"accessprofiles": false,
"entitlements": false,
"getAccessBy": "specificIdentity",
"identityToReturn.$": "$.trigger.identity.id",
"roles": true
},
"displayName": "",
"nextStep": "Loop",
"type": "action",
"versionNumber": 1
},
"Loop": {
"actionId": "sp:loop:iterator",
"attributes": {
"context.$": null,
"input.$": "$.getAccess.accessItems",
"start": "Manage Access",
"steps": {
"Manage Access": {
"actionId": "sp:access:manage",
"attributes": {
"comments": "Removing access for Terminated User",
"removeIdentity.$": "$.trigger.identity.id",
"requestType": "REVOKE_ACCESS",
"requestedItems.$": "$.loop.loopInput.id"
},
"description": "Remove Access",
"displayName": "",
"type": "action",
"versionNumber": 1
}
}
},
"displayName": "",
"nextStep": "End Step - Success",
"type": "action",
"versionNumber": 1
}
}
},
"trigger": {
"type": "EVENT",
"attributes": {
"attributeToFilter": "cloudLifecycleState",
"filter.$": "$.changes[?(@.attribute == \"cloudLifecycleState\")]",
"id": "idn:identity-attributes-changed"
}
}
}