We have a problem in order to launch offboarding process to some users.
We Have implemented Active and Leaver as LifecycleStates. We have configured Leaver state to disable all the accounts of the users. The problem is that there are users with all accounts in status active because we enabled the Leaver LifecycleStates after their end date.
From other side, we have tried to execute manually Refresh Task, but Lifecycle state is not evaluated.
We had a similar problem in our environment - it was caused because we calculated lifecycle state based off end date. When the end date ticked over it wasn’t recalculating the lifecycle state because the source data had not changed, even though the lifecycle state should have changed because the identity’s end date had passed.
Not sure if you’re facing the same issue.
We resolved it by running disable optimisation aggregations on our authoritative source daily. Whenever the disable optimisation aggregation ran, it would enforce the recalculation of lifecycle state.
However, I would really like a better solution from the IdentityNow team myself!
If you are using a transform to calculate the lifecycle state, you probably need to add the flag:
“requiresPeriodicRefresh”: “true” to get the transform re-evaluated 2x daily.,
Does that attribute cause it to be recalculated during the daily refresh job (i.e., 8am and 8pm?)?
Does it also cause it to be recalculated every time there is a source aggregation? Or via any other mechanism? Unfortunately for our use case the 8am job is too late for this calculation, and the 8pm job is too early.
Normally a transform is evaluated only when data changes. The requiresPeriodicRefresh flag allows the transform to be updated by the morning and evening processing and triggers time-based events.
I’ve tried both solutions, including “requiresPeriodicRefresh”: “true” in the transform rule and aggregating with the param disableOptimisation set to true.
I was under the impression that it wasn’t calculating the value of the lifecycle state attribute. But after re-reading the problem it sounds like actually the users are in the correct lifecycle state, but their accounts are still active. And you want to disable the accounts. Is that correct?
The actions are only performed when the account is moved into the lifecycle state, it’s not recalculated on any refresh and there’s no way (that I’m aware of) to force it to do so.
The solution I would suggest would be:
create a third lifecycle state the same as your leaver lifecycle state called “Temporary Leaver” or some such
update the lifecycle state transform so that instead of sending users into the “Leaver” lifecycle state, it sends them into the “Temporary Leaver” lifecycle state. Make sure the requiresPeriodicRefresh is set to true so that it recalculates for everyone.
allow the system to move everyone into the new lifecycle state. This should disable all their accounts.
update your lifecycle state transform to put everyone back into “Leaver” lifecycle state.
allow the system to move everyone back into your original lifecycle state.
Thanks for this solution. We were analysing several options but the problem to apply this solution is that we would change LCS for all Leaver users. In our case some users was in correct status( Leaver status and AD account disabled). So, we applied the following WA using a PowerShell script lo launch the following API call
