Manager inactivating identity

ruschel · March 31, 2023, 2:41pm

We need the manager to be able to deactivate the user’s identity in IdentityNow, this possibility exists?

colin_mckibben · April 4, 2023, 5:04pm

If I understand correctly, you want to require approval from the identity’s manager before disabling their user account in IDN? Or do you want to allow the manager to deactivate a user’s account themselves?

It is best practice to control the disabling of an identity through lifecycle states. Lifecycle states can be manually set by an admin, or automatically set through identity attribute matching. Please read here for more information: Setting Up Lifecycle States - SailPoint Identity Services

Disabling an identity is done by an IDN admin in the identity list UI. Unless you grant your managers admin status (not ideal), your managers won’t be able to directly disable identities.

RTASB · April 6, 2023, 12:25am

Hi @colin_mckibben when you say “disabling of an identity”, do you mean related accounts or the identity itself? Would you be able to share how the identity itself can be disabled please?

colin_mckibben · April 6, 2023, 12:53pm

To manually disable the identity itself, please see this document: Managing Identities - SailPoint Identity Services

To disable source accounts linked to an identity, please see this document: Managing User Accounts - SailPoint Identity Services

jroozeboom · April 6, 2023, 9:48pm

This can manually be done through the UI using the ellipses (…) icon under the Action column and choosing Disable. Please note that you will not be able to Disable the identity if the identity is the owner of certain objects. We have clients who we have helped automate the Disabling / Enabling of identities based off of the Lifecycle State.

RTASB · April 10, 2023, 11:49pm

Apologies, I should have phrased my question a bit better. I was wondering about an automated way of disabling identities, which I now notice on Colin’s edit as not possible and needing to be manual.

akasper · April 13, 2023, 6:10am

Which of course utilises the undocumented / unsupported
“https://{{tenant}}.api.identitynow.com/cc/api/user/enabled” API - which we are not meant to know/use .
Pity that’s not a supported workflow action …yet? :?

colin_mckibben · April 13, 2023, 11:17am

Yes that’s correct. Currently there is only a CC API for disabling identities. However, v3 identity APIs are coming soon, and will include a disable command.

Topic		Replies	Views
Disabled accounts ISC Discussion and Questions identity-security-cloud , provisioning , accounts	6	507	January 28, 2024
Disable identity API ISC Discussion and Questions apis	4	541	July 19, 2023
IDN - Timing of the "Account Disable" event ISC Discussion and Questions identity-security-cloud	3	159	March 23, 2024
Disabling account discussion ISC Discussion and Questions identity-security-cloud , provisioning , lifecycle-management	5	269	December 19, 2023
Disable LDAP user accounts in SailPoint IdentityNow ISC Discussion and Questions identity-security-cloud	2	244	November 5, 2023

Manager inactivating identity

Related Topics