Lifecycle Management – accountExpires not updating in Terminated state when account already disabled

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi Forum,

We’re encountering a behavior in SailPoint Identity Security Cloud (ISC) lifecycle provisioning and would like to confirm whether this is expected by design and what the recommended approach is.

Current Lifecycle Pattern

Our lifecycle flow is as follows:

  1. Active

    • User is active

    • AD account enabled

  2. Inactive

    • Triggered when the identity end date reaches the current date

    • AD account is disabled in this state

  3. Terminated

    • Identity transitions automatically ~1 hour after entering Inactive

    • In this state, we attempt to update the AD user attribute accountExpires

Issue Observed

  • By the time the identity reaches Terminated, the AD account is already disabled from the Inactive state.

  • Since both Inactive and Terminated lifecycle states result in a disabled account, ISC does not appear to generate a provisioning plan during the Inactive → Terminated transition.

  • As a result:

    • No provisioning occurs

    • Attribute mappings in the Terminated state are skipped

    • The accountExpires attribute is not updated in AD

We understand that Active Directory itself supports updating accountExpires on disabled accounts, so this does not seem to be an AD limitation.

Understanding / Assumption

Our assumption is that this is due to ISC provisioning being delta‑based:

  • If the target account is already in the desired end state (disabled),

  • And the lifecycle transition does not introduce a detectable delta,

  • Then ISC does not generate a provisioning plan, and attribute updates do not execute.

Is this behavior expected and by design in ISC lifecycle provisioning?

  1. If accountExpires is only intended to be updated in the Terminated lifecycle state, what is the recommended pattern to ensure this attribute is still provisioned when the account was already disabled earlier?

  2. Is introducing a forced delta (e.g., via an identity attribute change or trigger attribute) the preferred solution, or is there a more native/recommended approach?

Any guidance, confirmation, or best‑practice recommendations would be greatly appreciated.

Thanks in advance!

3

Hi @kannan_sb85

Thank you for this. We’ll try the suggested approach and will get back to you once we’ve confirmed it’s working.

4

Hi @kannan_sb85 ,

for us to implement this, we need to go to Source > Edit > Create Account and add the accountExpires attribute?

image
image974×789 40 KB

5

using Attribute Sync by introducing an identity attribute (cloudAccountExpires) mapped to AD accountExpires. When the identity moves to Terminated, the attribute changes and triggers a sync, ensuring the value is updated even if the account remains disabled.