New Capability: Management of Inactive Identities

kirby_fitch · March 3, 2025, 2:26pm

Hi @ktggks , sorry that I missed this message. You’re describing the purpose of the Inactive (short-term) identity state. Use that one until 180 days, and then move them to Inactive (long-term).

kirby_fitch · March 3, 2025, 2:28pm

Hi Dan,

You should be able to do that with Search by combining a query for attributes.identityState and having entitlements. Inactives are still included in certifications. Automated revocations continue to be processed.

ktggks · March 3, 2025, 5:21pm

Thanks for the response. We did update our Identity State to accommodate. We drop the identity profile after 190 days from the termination date so I’m not sure I see the benefit of moving to inactive (long-term) for 10 days. My comment was based on your presentation at Navigate with considerations to future changes to the Identity State. I guess it really matters on your definition of short-term vs long-term.

Madhurimapati · April 7, 2025, 3:41pm

Any idea when this will be availble for certifications?

chris-hogan · April 8, 2025, 12:01am

Hi Kirby,

What about a re-hire use case in which the driving attribute already existed on the identity prior to them entering an inactive-long-term state? Say for example, a contractor has a start date for a future contract already on their identity, then the contractor is terminated. Their authoritative record is never updated, as the future date was already entered - without identity processing, and no updates from the authoritative source, would a date driven LCS transform ever get triggered? Would aggregations themselves be sufficient to set off the transform?

Thanks

kirby_fitch · April 8, 2025, 12:22am

I’d recommend keeping your recently terminated identities in inactive (short-term) for some period after separation. These identities get refreshed to cover use cases like this one.

If you really valued precision, you could also look into time-based refresh. That lets you pick the exact date-time the identity is refreshed again.

adamslamena · April 25, 2025, 11:04am

This would be a very nice feature, as it could simplify some of the role assignment criteria for us

tysremi · May 21, 2025, 8:24am

Hi Kirby,

We notice that we cannot filter on inactive (short or long) owners in the filters for Entitlement/Roles/Access Profiles in the Admin console.
Is this expected behaviour?
No doc specifies that it would also remove them from other picklists other than the request center.

Not being able to select them there makes it difficult to bulk update them.

kirby_fitch · June 23, 2025, 4:33pm

Hi @tysremi - It’s true that that’s not currently supported. It would be best to vote on this idea!
https://ideas.sailpoint.com/ideas/GOV-I-4412

CC @PGookin

Topic		Replies	Views
Enhancement: Exclude Inactive Identities from Attribute Sync! Product News provisioning , identities , new-enhancement	13	1185	November 19, 2024
Quick start: management of inactive identities Video Library identity-security-cloud , developer-days-2024-isc , developer-days	0	707	March 25, 2024
New Capability: Delete Accounts on Termination via Lifecycle Management Product News identity-security-cloud , access-profiles , identity-profiles , lifecycle-management , new-capability	22	2029	October 21, 2025
Building Life Cycle States using Transforms ISC Community Knowledge Base transforms , identity-security-cloud , provisioning , lifecycle-management	0	445	September 27, 2024
New Capability: Remove All Access on Termination Product News identity-security-cloud , accounts , new-capability , sources , access-model	37	2593	November 7, 2025

New Capability: Management of Inactive Identities

Related topics