Manager inactivating identity

We need the manager to be able to deactivate the user’s identity in IdentityNow, this possibility exists?

If I understand correctly, you want to require approval from the identity’s manager before disabling their user account in IDN? Or do you want to allow the manager to deactivate a user’s account themselves?

It is best practice to control the disabling of an identity through lifecycle states. Lifecycle states can be manually set by an admin, or automatically set through identity attribute matching. Please read here for more information: Setting Up Lifecycle States - SailPoint Identity Services

Disabling an identity is done by an IDN admin in the identity list UI. Unless you grant your managers admin status (not ideal), your managers won’t be able to directly disable identities.

Hi @colin_mckibben when you say “disabling of an identity”, do you mean related accounts or the identity itself? Would you be able to share how the identity itself can be disabled please?

To manually disable the identity itself, please see this document: Managing Identities - SailPoint Identity Services

To disable source accounts linked to an identity, please see this document: Managing User Accounts - SailPoint Identity Services

This can manually be done through the UI using the ellipses (…) icon under the Action column and choosing Disable. Please note that you will not be able to Disable the identity if the identity is the owner of certain objects. We have clients who we have helped automate the Disabling / Enabling of identities based off of the Lifecycle State.

image

2 Likes

Apologies, I should have phrased my question a bit better. I was wondering about an automated way of disabling identities, which I now notice on Colin’s edit as not possible and needing to be manual. :slight_smile:

Which of course utilises the undocumented / unsupported
“https://{{tenant}}.api.identitynow.com/cc/api/user/enabled” API - which we are not meant to know/use :wink: .
Pity that’s not a supported workflow action …yet? :?

Yes that’s correct. Currently there is only a CC API for disabling identities. However, v3 identity APIs are coming soon, and will include a disable command.

1 Like