I created a workflow to delete Active Directory accounts when the owner transitions into the ‘Deleted’ Lifecycle State. My workflow is working well, with one exception, the actual deletion performed by the Manage Account action is failing for unknown reasons.
From as far as I can tell, there is no logged provisioning event, traces to enable for further review, or workflow errors returned.
Furthermore, IdentityNow is actually reporting the workflow as successful, even though it does detect the account failed.
Am I doing something wrong here or is this just a bug?
If Workflows isn’t reporting an error, then the API call was successful. Where are you seeing the account delete fail? Is this in your IDN dashboard? What is the error message?
I did some digging and I found out that the “delete” operation for Manage Accounts uses the delete account API. This operation will only work on flat file sources. Since you are trying to delete accounts from Active Directoy, it won’t work.
SailPoint recommends disabling accounts rather than deleting them. This way they can be reenabled in the event the account is needed again in the future.
I’m not aware of a way to trigger an account delete from SailPoint. You might have to perform that operation directly in AD.
If anyone is reading this solution, please upvote this idea to allow delete as a native operation in IDN.
While I agree that you are technically correct, I believe SailPoint is missing some significant support for customers. In my experience, the requirement is often to disable on termination and delete after X days. This is considered the best practice recommendation for security control. No point in leaving a stack of disabled accounts that would never be reused, right?
I was kind of hoping to be able to implement a more proper solution using workflows, rather than having to send an enable request to delete the account which just sounds sketchy and wrong in so many ways.
That’s a very good point about deleting old accounts to clean up the space. I didn’t consider that.
To dig a little deeper, the disable and delete commands are implemented at the connector level. If the connector doesn’t support delete, then it won’t be possible. However, even if the connector does support the delete operation, IDN doesn’t offer a way in the GUI to trigger a delete; it will only disable accounts. The Compass article you referenced suggested creating a before provisioning rule for your AD source to change the disable action to delete, but that is obviously not an easy thing to implement.
I found an idea for this in our ideas portal that makes the case for the delete command. Please upvote this and add any comments you think are relevant to the idea. The more upvotes this gets, the quicker it will be considered for implementation.