New Capability: Remove All Access on Termination

Announcements Product News
, , , ,
1

This enhancement is brought to you by :aha: Idea GOV-I-880

Description

We’ve made it easier to ensure that access is fully and automatically revoked when an identity is terminated, across all sources. This has been one of the top customer requests with 320+ votes in the Ideas Portal. The new enhancements reduce reliance on complex rules and manual updates, saving time and minimizing risk.

This post outlines the new capabilities available for Lifecycle State configuration, including access removal, smarter source selection, and auditing.

New Capabilities

Admins can now:

  • Choose “Remove All Access” when a user hits a termination state, revoking all requested and detected access.
  • Automatically bypass approval flows for access removal during termination.
  • Audit and trace access revocations tied to Lifecycle State changes.
  • Use a new out-of-the-box LCS for faster onboarding of new identity profiles.
  • Select “All Sources” for enable/disable account actions, ensuring new sources are automatically included.
  • Exclude specific sources from All Sources logic (e.g. skip Workday).

Problem

When a user is terminated, two critical things need to happen:

  1. Accounts must be disabled on all connected sources.
  2. Access must be removed across roles, access profiles, and entitlements.

Currently, these actions are handled in a somewhat fragmented and manual way.

For account disablement, administrators configure Lifecycle States to define which sources should be included. However, as new sources are added over time, these configurations aren’t always updated, meaning some accounts may remain active after a user leaves.

For access removal, admins put significant effort into managing both requested and detected access. Some implement BeforeProvisioning rules to remove entitlements, while others use access certifications to review and revoke access after the fact—often introducing delays due to approval requirements.

While these methods are functional, they can be inconsistent and difficult to maintain at scale, potentially creating audit gaps and increasing risk exposure over time.

Solution

Admins can now configure Lifecycle States to automatically remove all access from terminated users without relying on rules or manual certifications. When “Remove All Access” is selected, the system will revoke all requested access items, including roles, access profiles, and entitlements, along with detected entitlements and associated access profiles. Approvals for these revocations are bypassed, ensuring fast and consistent deprovisioning. Access provisioned by the current Lifecycle State or birthright roles will not be removed.

This option can be found under:
Admin → Identity Management → Identity Profiles → [Select Identity Profile] → Lifecycle Management

Remove All Access
Remove All Access2708×772 215 KB

We’ve also introduced a new All Sources option, allowing admins to enable or disable actions across all sources, including newly onboarded ones, without needing to update the configuration each time. Admins can exclude specific sources if needed, maintaining control while automating the bulk of the work.

All Sources - Excluded Sources
All Sources - Excluded Sources2880×1490 288 KB

In addition, admins can now select IdentityNow/ISC as a source when configuring account enablement and disablement.

Source Name - IdentityNow
Source Name - IdentityNow2334×1490 229 KB

Who is affected?

All Identity Security Cloud customers.

Action Required

No immediate action is required. However, to take advantage of the new capabilities, we recommend reviewing your current Lifecycle State configurations under:

Admin → Identity Management → Identity Profiles → [Select Identity Profile] → Lifecycle Management

From there, you can:

  • Enable Remove All Access
  • Use the All Sources option for account disablement or enablement
  • Include IdentityNow as a selectable source

Important Dates

  • Beta Rollout: June 16, 2025
  • Sandbox Rollout: June 23, 2025
  • Production Rollout (All Customers): The week of June 30th
7 Likes
2

Sounds great - Is it possible to have exceptions for individual Entitlements on Sources?
Accounts in e.g. AD/Entra will have many apps that require some pre/post processing outside of SailPoint, so will require some group membership to be maintained, perhaps until a second post termination lifecycle state.

3

@sbuk1 To ensure access is not removed from specific sources, you’ll need to list the relevant Access Profiles in the Access Profile tab for those sources. When Remove All Access is set to true, entitlements that are part of Access Profiles listed in that tab will be excluded from removal.

3 Likes
4

Hi @NataliaYunusov - so are you saying “Remove ALL access” only removes entitlements and roles but NOT access profiles from a source?

This contradicts what’s mentioned in the solution section of the post

When “Remove All Access” is selected, the system will revoke all requested access items, including roles, access profiles, and entitlements, along with detected entitlements and associated access profiles.

5

Simply awesome announcement!

1 Like
6

Shail, I believe Natalia just gave us a workaround in case we have a few entitlements to keep, just create an access profile for them and add it to the provisioning of the lifecyclestate to exclude from removal.

Example: I want terminated users to always keep 2 entitlements then I would create an Access Profile for them and add it to the “terminated” lifecycle state.

1 Like
7

Thanks for the announcement and the great explanation as well :+1:

1 Like
8

@TheOneAMSheriff is correct. “Remove All Access” removes all entitlements, Access Profiles, and Roles (except for birthright roles). If you need to make an exception and retain certain access, you must include the entitlements in an Access Profile and list that Access Profile in the Access Profile tab for the current lifecycle state.

9

Awesome ! looking forward to this !

I would have one question tho, how does it work with Direcotry Synced entitlements ?
So if we have an On-prem AD source and an Entra ID source that holds directory synced entitlements, will ISC try to remove the dirSynced entitlements as well ? Because that would throw a lot of errors.

2 Likes
10

Great question, @adamslamena

Directory synced entitlements will not be removed by the “Remove All Access” feature. While ISC will still attempt to remove them, Microsoft Entra ID does not allow dirSynced entitlements (those originating from on-prem AD) to be removed via API. So even though the removal request is made, the entitlements will remain unchanged.

To avoid this scenario, the Entra ID connector now supports a recent capability called Group Membership Filters, which lets you define the scope of group memberships to include during account aggregation. Using this can prevent dirSynced entitlements from being aggregated in the first place.
You can read more here:

1 Like
11

Does this option address some of challenges I have faced with Termination cleanup
1/ Is this an alternative for manage Account (disable) or Manage access (revoke access) or both?
2/ Does it disable all accounts linked to the identity? Or does it disable linked accounts that it is able to disable? Sometimes disable fails on an application.
3/ Does it remove access for remote entitlements or only entitlements that are obtained via the ISC access request channel? Example suppose user was assigned AD group membership directly in AD or Entra, will that be removed?
4/ Does it remove user from Role group membership that was assigned to the user directly not via the access request. That is Admin went to the Role and added the user as a member
5/ Does this revoke entitlements/access profiles that are listed as unrevokable or only the ones listed as revokable?