What problem are you observing?
If a user has a deactivated okta account and you call /v3/access-requests
to Revoke the Okta group (entitlement), then ISC does the following
- Re-activate Okta account
- Revoke Okta group (entitlement)
- Re-deactivate Okta account
This causes a whole range of issues, as re-activating the account can cause application and group assignments to kick in, and provisioning tasks from okta to endpoint systems
What is the correct behavior?
Remove Okta groups/entitlements without re-activating the account.
What product feature is this related to?
ISC Okta connector
What are the steps to reproduce the issue?
- Create an identity with an Okta account
- Ensure Okta account has groups assigned
- Deactivate Okta account
- Aggregate Okta account, so information in ISC is current
- Call
/v3/access-requests
to Revoke Okta entitlements - Observe logs in Okta for this account.
Do you have any other information about your environment that may help?
N/A