Oh ok, I’ll try it then.
Thank you very much.
This is great news and easy to implement. What does not occur is the auto-disable of the identity in ISC. I didn’t see this on the roadmap for future use of this feature. Will it be added?
I see lukas_ceremeta mentioned this in April. Just wanted to know if this is on the roadmap.
Thanks much.
Hi @RArroyo I’ve got that ticket accounted for on my internal roadmap. Do you think it’d be appropriate to disable the ISC account both when the identity enters INACTIVE_SHORT_TERM and INACTIVE_LONG_TERM?
For our use it would be INACTIVE_LONG_TERM, however, for those using it for leave of absence, I could see INACTIVE_SHORT_TERM status as well disabling the ISC account.
1 Like
Great feature if the INACTIVE_LONG_TERM also would disable the ISC-account itself.
However, currently we have deployed the INACTIVE_SHORT_TERM state on the ISC-admin accounts, so that they wont appear in any drop down lists when end-users requests access etc. (We only want to show the regular end-user accounts).
So if disabling the ISC-accounts in the INACTIVE_SHORT_TERM would disable the admin accounts as well, then another solution for hiding the admin accounts in drop downs etc. would have to be provided, since this is quite important for a good user experience and making it easy for our end-users (since our admins have dual accounts and end-user might pick to wrong one to order access to).
Alternately, only disabling the ISC-account in the INACTIVE_LONG_TERM would work, but the best solution would be the inactivate the ISC-accounts as fast as possible after a leave (but not disabling the admin accounts).
Does “Inactive (Short term)” or Inactive(“long term”) Identities are considered as unlicensed ? How licensing cost is calculated each time when user’s LCS changes ?
Thanks!
Thanks for sharing your goal. I recommend moving your ISC Admin accounts back to Active. There’s too much risk leaving them in that state should we add new features that further restrict INACTIVE_SHORT_TERM.
If we receive enough support from the community, we could consider hiding active segments of identities from lists.
Use of this feature does not impact licensing at this time.
1 Like
Hi @kirby_fitch
Is this feature still in the works?
1 Like
YES! We’ll be rolling this out soon. Watch for release notes!
Attribute Sync will be skipped for Inactive (long-term) identities except when explicitly requested via an individual identity attribute sync (/beta/identities/:identityId/synchronize-attributes).
The updated filtering table will follow these rules.
| Area | Active | Inactive (short-term) | Inactive (long-term) |
|---|---|---|---|
| Identity Picklists in Request Center |  Included |
 Excluded |
Excluded |
| My Team UI for Managers | Included |
Excluded |
Excluded |
| Scheduled Processing | Included |
Included |
Excluded |
| Apply Changes on Roles, Access Profiles, and Apps UIs | Included |
Included |
Excluded |
| Apply Changes on Identity Profiles UI | Included |
Included |
Included |
| Attribute Sync | Included |
Included |
Excluded |
| Processing for Select Identities | Included |
Included |
Included |
| Identity Attribution Promotion after Accounts Updated in Aggregations | Included |
Included |
Included |
6 Likes
Is there a reason not to integrate the table in the official documentation? (e.g. on the page Setting Up Lifecycle States - SailPoint Identity Services )
I find the overview useful, but I couldn’t find it in the documentation linked from the ISC product, and scrolling through so many comments is tedious.
1 Like
Hi Andrei! I work on the documentation for identities states. I plan on either adding a link to the table/graphic or including it in the docs in some form. Thank you for your feedback!
1 Like
@kirby_fitch - it would be great to add supporting the filtering in picklists for governance groups.
hi, I would like to check when this feature will be extended to other areas. Can you share a tentative timeline.
@adunker, sorry, we must have missed that one. We’re taking up a work item to default this exclusion rule on all identity pickers. We’re making one exception for manual account correlation in the accounts UI. There, I think it makes sense to continue allowing inactives to be selected. Do you agree? Any other places you’d like to see an exception?
Hi Uday,
We’ve just expanded it to include attribute sync. Work to expand to AI modeling is in progress. I’m not able to speak to timelines for other areas. These other areas do remain a priority. Hope that helps!
CC @alec1 @SarahKhan
With Attribute Sync being excluded for inactive (long-term) users, is there a way we could force attribute sync to inactive users if needed ?
I’ve provided your options here:
Hey Kirby! Great presentation at Navigate on this. Looks like this broke our termination process. We have a 180 day account retention process after someone leaves the company. Much of that process is reliant on attribute sync. Have you considered a Medium Identity State which would allow attribute sync but removes them from everything else?