Hi Pinkey,
We had some trouble deploying the identityState attribute to FedRAMP and are working on that. We do try to keep our FedRAMP schedule lined up with the commercial schedule. Sorry for the wait! I’ll reply to this message again when it’s done!
Hey y’all, updates on feature rollout!
Commercial (non-FedRAMP) tenants
FedRAMP tenants
I know you’re all waiting for this feature. I’ll keep updating this thread. Thanks for your patience!
Also, tune in on Wednesday for a feature setup talk at Developer Days!
Thoughts on the UI for the Home or “My SailPoint” dashboard which has a My Team widget - the total number includes Inactive Identities. This will be a little misleading for a Manager who knows they only have 5 direct reports but shows 20 because of Identities that are Inactive.
Should the new widget only show the count of Active Identities on “My Team”?
Hi @ajtardio - good catch. This was an oversight on our part. I noticed it the other day and submitted a ticket to address it. @Tyler_Harman and team will resolve it soon!
Thanks for this great enhancement.
Wanted to highlight minor missing functionality. “Identity state” as an attribute is missing in column chooser when we search for identities. While troubleshooting I was seeing inactive short term identities in request centre and wanted to confirm if they were actually in that state or not , processing delay can cause this in staging environment.
Search is easy way to look for things in faster way instead of clicking on multiple identities in identity screen.
On Home page we are able to see the count of all the users but once we click on My Team we are seeing the count based on active Identity state, also if we search the user who is part of Inactive short term or inactive long term we are able to see the user details. Let us know if this is the expected behavior?
Thanks in advance.
In addition to the new attribute not being selectable as a column in search results, it also is not available when defining role criteria. I’m sure this is also an oversight, but I’d love to see that corrected.
What happens with attribute sync? Our HR team can be a bit slow in updating some of the attributes for ex-employees. I don’t want to mark our “Inactive” lifecycle to “Inactive long-term” if it will cause these identities not to receive attribute syncs. I think I should initially mark this as “inactive short-term” and then create a new lifecycle type for 90 days inactive for attribute sync. See below
LC Name Setting
90 day inactive Inactive (short-term)
Inactive (>90 day terms) Inactive (long-term)
Thoughts?
Hi @chirag_patel,
Thanks for this. We’re aware it’s missing there. If you visit Identity Management > Identities, you are able to add Identity State as a column in that list.
Hi @PRIYANKALINGALA,
We’re expecting this to count just identities that are ACTIVE. Sorry for the oversight. We’re working to correct this.
Thanks, @johnepic. Good call-out. We’re looking into this one.
Hi @kej01s, we haven’t implemented a filter yet on Attribute Sync but here’s how we’re going to do it:
Creating a two-step termination the way you propose would be a suitable solution to the problem. We wrote the specification with the intent you’d do it just like that!
Will you be looking at change the color scheme on the headings (maybe make them the bright blue that the tabs show when they are highlighted) or making them larger so that they are more easily distinguishable? I find the new view hard to read. I do like the search attributes field. I would also like to be able to select the single/Multiple view and have it stay as my preference rather than have only Single as default.
I think this is feedback about the Identity Management UI rather than Inactive Identity Management. That’s OK, I know what you’re asking about!
Could you send us a screenshot (with drawing, highlighting, etc.) that shows us what UI elements you’re having a hard time reading?
I filed a ticket with the team for this one CC @spencer_harder @willcashman
This work just wrapped up in a development environment. We’ll be rolling this out relatively soon.
One area that we constantly run into issues with is terminated users that had roles assigned to them via a ServiceNow request. Without submitting requests by managers to remove the roles granted to the former user, the role gets ‘sticky’ and no matter what we do, they keep coming back. Is there any consideration, for either short-term or long-term, to have it wipe any roles assigned to the former user? This would make cleanup so much easier.
Hi Craig, I think it’d be great to do the following:
When identities move to INACTIVE_LONG_TERM, remove roles, access profiles, and entitlements that were requested.
Does this sound good to you?
Are there others in the community who would find this useful?
Yes! This would be a great enhancement for my organization as well.
Exactly! Especially since we assign some roles through ServiceNow API calls, and unless we open a ticket to remove the roles, they get stuck there.
